Release notes
nevisAuth 8.2411.0.13 - 20.11.2024
Changes and new features
Breaking changes
- REMOVED: The deprecated
LegacySecurityTokenService
is removed. It was enabled by default when-Dch.nevis.esauth.wstrust.SecurityTokenService.Enabled=true
was configured. The replacement for theLegacySecurityTokenService
is the SecurityTokenService (NEVISAUTH-4654) - REMOVED: We removed the validation that
acr_values
must contain the value of theacr
claim. (NEVISAUTH-4854) - REMOVED:
jcan-saml
andjcan-saml-xmlbeans
libs are removed from the nevisAuth RPM. These are transitive dependencies ofjcan-sectoken
to support the SAML Assertion as a token. These libraries are only used inNinja
for verification purposes, therefore they are not required in nevisAuth. In case you relied on classes from these artifacts in your testing or custom auth states, you can acquire them fromNinja
and add them on your classpath manually. (NEVISAUTH-4864) - CHANGED: The JWTToken auth state configuration
token.identifier
is renamed totoken.outputAttributeName
. (NEVISAUTH-4715) - CHANGED: The default value
connectionMaxPoolSize
property of the Remote session store and OOCD is changed to 10 from the previous 20 to be aligned with the underlying library recommended defaults. (NEVISAUTH-4819) - CHANGED: ScripState now resolves variables in
parameter.[parameterName]
. This can be a breaking change if you resolved variables manually before, or have a value which looks like an EL expression. (NEVISAUTH-4604) - NEW: We introduced the property
removeEmptyClaimsInToken
inAuthorizationServer
AuthState to remove empty claims forID Token
andAccess Token
. (NEVISAUTH-4778)
General Changes
- NEW: nevisAuth generates new OpenTelemetry metrics for Jetty worker threads, request statistics, heap size, http client pool statistics. This can help in analysing and observing nevisAuth load. (NEVISAUTH-4746)
- NEW: The JWTToken auth state now allows the configuration where the output is stored using the
token.outputAttributeScope
configuration option. By default, it is the previousoutargs
. (NEVISAUTH-4715) - NEW: HTTP headers can be referred in the log pattern with syntax
%X{httpHeader.yourHttpHeader}
. There is a differences in where the HTTP request is originating from: authenticate/stepup requests arriving from nevisProxy will contain the original HTTP headers of the client in the SOAP request body and made available in the logging context. Other Web and Rest services does not have this proprietary mechanism therefore in case of those nevisAuth will simply use the HTTP headers of the current request. (NEVISAUTH-4776) - NEW:
connectionMinPoolSize
configuration option for the Remote session store and OOCD. Note that by defaultconnectionMinPoolSize
takes the value ofconnectionMaxPoolSize
which means that the pool opens all connections on start, which is the recommended way to maximise performance. For cases where you only want to create connections on demand, you can specify a lowerconnectionMinPoolSize
value. (NEVISAUTH-4819) - NEW: We introduced
openid.jws.addx5c
andoauth2.jws.addx5c
for adding x5c field to ID Token and Access Token header. (NEVISAUTH-4834) - NEW: We allow the use of EL expressions for
claimsRequest
inRelyingPartyState
andOAuth2ClientState
. (NEVISAUTH-4832) - NEW: We introduced
absoluteRefreshTokenLifetime
to specify how the lifetime of a Refresh Token is managed when using token rotation. (NEVISAUTH-4745) - FIXED: We reduced the verbosity of the log entries related to the translation of scope metadata. (NEVISAUTH-4507)
- FIXED: SecurityTokenService logging confusing error message
SAAJ0303.ver1_1.msg.op.unsupported.in.SOAP1.1
when generating an error response. (NEVISAUTH-4681) - FIXED: Unreleased lock causing threads to hang in scenarios where several clients are using the same session and this session is killed by multiple nevisProxy instances at the same time. Also, some warning messages not requiring operational attention are downgraded to info. (NEVISAUTH-4738)
- FIXED: Unreleased lock causing threads to hang in scenarios where
IdentityProviderState
received the logout contain session index but doesn't act as SOAP logout. (NEVISAUTH-4852) - FIXED: We removed the limitation of only allowing a certain prefix in the envelope of SOAP logout requests in
IdentityProviderState
. (NEVISAUTH-4852) - FIXED: We fixed
AccessTokenConsumer
not accepting URLs that contain space. (NEVISAUTH-4788) - DEPRECATED: The
autoRegenerate
configuration flag of theTANState
is currently not working properly, and it is not possible to fix it with the current codebase, therefore it will be removed in the future. Custom behaviour can implemented with the existinginputFalse
transition mechanism which allows the customization of the faulty input handling. (NEVISAUTH-4710) - FIXED: Default logging.yml incorrectly containing
jcan.Op
instead ofOpTrace
. (NEVISAUTH-4774) - FIXED: WSSHeaderValidation auth state not sanitizing passwords in soap headers in the log. (NEVISAUTH-4826)
- FIXED: NullPointerException in the ScripState session variable validation. (NEVISAUTH-4856)
- FIXED: We improved the performance by reducing the introspection endpoint calls for empty
token_type_hint
. (NEVISAUTH-4899) - CHANGED: Most of the log messages produced by loggers
AuthEngine
,EsAuthStart
,EsAuthSv
related to startup were moved from INFO to DEBUG level to speed up start and clean up logs, as those messages are not relevant from an operational point of view. (NEVISAUTH-4833) - FIXED: XmlSec initialization in
jcan-saml
caused the error message lookup in thewss4j
library to fail and producing confusing errors. (NEVISAUTH-4864) - FIXED: The error responses of the introspection and revocation endpoints were not returned in JSON format.(NEVISAUTH-3998)
- FIXED: The session was not terminated after a SAML concurrent logout. (NEVISAUTH-4491)
- DOWNGRADED: We fixed encrypted SAML message generation with
xenc11:MGF
tag by downgrading the xmlsec third-party dependency to version 3.0.3. (NEVISAUTH-4870) - UPGRADED: We upgraded the Apache EL third-party dependency to version 10.1.25. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Apache XML beans third-party dependency to version 5.2.1. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78.1. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Checker-qual third-party dependency to version 3.47.0. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Commons-cli third-party dependency to version 1.19.0. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Commons codec third-party dependency to version 1.17.1. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Commons-lang3 third-party dependency to version 3.17.0. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Commons-text third-party dependency to version 1.12.0. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.2. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jaxrs-ri third-party dependency to version 3.1.8. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jaxws-rt third-party dependency to version 4.0.3. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.13. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Groovy third-party dependencies to version 4.0.22. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Guava third-party dependencies to version 33.3.0-jre. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0 (NEVISAUTH-4836)
- UPGRADED: We upgraded the jaxb-impl third-party dependency to version 4.0.2. (NEVISAUTH-4836)
- UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.6. (NEVISAUTH-4836)
- UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2411.0.x. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.8. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Ldap-unboudid third-party dependency to version 7.0.1. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Libphonenumber third-party dependency to version 8.13.45. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Log4j third-party dependencies to version 2.24.0. (NEVISAUTH-4836)
- UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.4.1. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Nimbus oicd sdk third-party dependency to version 11.19.1. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Opensaml third-party dependencies to version 4.3.2. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.42.0 (NEVISAUTH-4836)
- UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.4. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Parsson third-party dependency to version 1.1.7. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Rhino third-party dependency to version 1.7.15. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Slf4j third-party dependency to version 2.0.16. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Woodstox third-party dependency to version 7.0.0. (NEVISAUTH-4836)
nevisAuth 8.2405.2.0 - 25.07.2024
Changes and new features
Breaking changes
- FIXED: We changed the SAML Single Logout SOAP implementations of the SP and the IDP to align them more to the specification. Although this is a bugfix, the behavior has changed, so it may break implementations that use them. (NEVISAUTH-4761)
nevisAuth 8.2405.1.1 - 26.06.2024
Changes and new features
Breaking changes
General Changes
- FIXED: Unreleased lock causing threads to hang in scenarios where several clients are using the same session and this session is killed by multiple nevisProxy instances at the same time. Also some warning messages not requiring operational attention are downgraded to info. (NEVISAUTH-4738)
- FIXED: We now set the
kid
field in the JWKS endpoint with the propertykeyID
of the AuthorizationServer, in case thekeyID
property exists. (NEVISAUTH-4501) - FIXED: SecurityTokenService logging confusing error message
SAAJ0303.ver1_1.msg.op.unsupported.in.SOAP1.1
when generating an error response. (NEVISAUTH-4681)
nevisAuth 8.2405.0.4 - 20.05.2024
Changes and new features
Breaking changes
- REMOVED: The constant TokenSignature.DFLT_ALGORITHM using SHA1 was removed from jcan-sectoken, use the value
SHA256withRSA
instead. (NEVISIDM-9456) - REMOVED: The nevisauth-test-authstateharness-fat no longer embeds the following 3rd party dependencies: log4j, slf4j, groovy-test, groovy-test-junit5, groovy-testng as these can easily cause an unresolvable version clash. (NEVISAUTH-4553)
- REMOVED: RHEL8 Linux is no longer supported, it is superseded by RHEL9. RHEL8 is still supported on 7.2405.x (LTS24). (NEVISAUTH-4667)
- FIXED: The OOCD and Remote session store incorrectly storing time data in certain cases when using MariaDB. This caused an error during daylight saving time switch in spring while 1 hour disappears from time. MariaDB JDBC driver defaulting to the server timezone caused to double convert from local timezone to UTC. Normally this does not cause any issue for nevisAuth as the read/write uses the same logic. During the daylight saving time switch this causes a validation error at db that we try to insert a not existing (valid) time. Database connection session is now using UTC timezone to avoid this. Note that because of this change OOCD entries and Sessions will expire earlier with the timezone offset. If this is not acceptable you can fix the data in the DB like this:
update nevisauth_out_of_context_data_service set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR); update TNSSA_AUTH_SESSION_CACHE set ABSTO = DATE_ADD(ABSTO, INTERVAL 2 HOUR);
These statements assume Central European Time and that the data was created in Summer time. (With winter time you have to add only 1 hour) In case of getting an error likeUnknown or incorrect time zone: 'UTC'
afterwards that means your database did not have the timezone database initilized. You have to runmysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p
to verifiy the result of that you can runSELECT * FROM mysql.time_zone_name;
. Note that this will only impact you if you upgrading from the java8 els versions or any rolling version >= 4.40.0.10. Upgrading from LTS21 is not impacted as LTS21 does not have this issue yet as it was introduced in NEVISAUTH-4265. (NEVISAUTH-4650)
General Changes
- FIXED: OAuth2 only return error redirect when valid redirect_uri is provided. (NEVISAUTH-4627)
- FIXED: We made the encryption of the AccessToken work also for OAuth2. (NEVISAUTH-4630)
- FIXED: We fixed corrupted SecToken generated by JWT Bearer Grant Authentication flow. (NEVISAUTH-4631)
- FIXED: Getting BadConfigurationException when setting
nevismeta.httpclient.authorization.basic.*
properties. (NEVISAUTH-4520) - FIXED: The actorCert not extracted from HTTP Request. (NEVISAUTH-4649)
- FIXED: The public client without client secret throw exception during token request. (NEVISAUTH-4691)
- NEW: We support EC key for JWKS. (NEVISAUTH-4515)
- NEW: Configuration option
server.tls.verify-sni
which allows to disable SNI validation Jetty. This can be used to mitigate a Java bug when a Java client is not sending SNI information when the hostname does not contain a dot. (NEVISAUTH-4624) - EXPERIMENTAL: We introduced the property
openid.promptParameterSupported
for usingprompt
parameter inAuthorizationServer
. (NEVISAUTH-4526) - UPGRADED: We upgraded the Angus activation third-party dependencies to version 2.0.2. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Angus mail third-party dependencies to version 2.0.3. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Apache Http Client third-party dependencies to version 5.3.1. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78. (NEVISAUTH-4641)
- UPGRADED: We upgraded the Commons codec third-party dependency to version 1.16.1. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Groovy third-party dependencies to version 4.0.21. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Guava third-party dependencies to version 33.1.0-jre. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0 (NEVISAUTH-4585)
- UPGRADED: We upgraded the jaxb-impl third-party dependency to version 4.0.2. (NEVISAUTH-4553)
- UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.6. (NEVISAUTH-4553)
- UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2405.0.x. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.8. (NEVISAUTH-4585)
- UPGRADED: We upgraded the json-smart third-party dependency to version 2.5.1. (NEVISAUTH-4553)
- UPGRADED: We upgraded the ldap-unboudid third-party dependency to version 7.0.0. (NEVISAUTH-4553)
- UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.34. (NEVISAUTH-4553)
- UPGRADED: We upgraded the log4j third-party dependencies to version 2.23.1. (NEVISAUTH-4553)
- UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.3.3. (NEVISAUTH-4553)
- UPGRADED: We upgraded the nimbus oicd sdk third-party dependency to version 11.10.1. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.37.0 (NEVISAUTH-4546)
- UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.3. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Parsson third-party dependency to version 1.1.6. (NEVISAUTH-4553)
- UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12. (NEVISAUTH-4553)
- UPGRADED: We upgraded the woodstox third-party dependency to version 6.6.2. (NEVISAUTH-4553)
- UPGRADED: We upgraded the wss4j third-party dependency to version 3.0.3. (NEVISAUTH-4553)
- UPGRADED: We upgraded the xmlsec third-party dependency to version 3.0.4. (NEVISAUTH-4553)
- DEPRECATED: The
LegacySecurityTokenService
has been depreceated in 2011, it is enabled by default when-Dch.nevis.esauth.wstrust.SecurityTokenService.Enabled=true
is configured. TheLegacySecurityTokenService
will be removed in the 2024 November release. The replacement for theLegacySecurityTokenService
is the SecurityTokenService (NEVISAUTH-4654)
nevisAuth 7.2402.1.2 - 28.03.2024
Changes and new features
General Changes
- FIXED: OAuth2 JWT Bearer Authorization Grant and JWT Client authentication not working correctly. (NEVISAUTH-4596)
nevisAuth 7.2402.0.6 - 21.02.2024
Changes and new features
Breaking changes
- CHANGED: The
transferId
initiated by nevisProxy is replaced by thetraceparent
which consists of thetrace_id
andspan_id
. (OpenTelemetry terminology) In nevisAuth interfaces theTransferId
is renamed toTraceId
, in log patterns you can reference it via%X{trace_id}
. Thejcan.Op
logging category is replaced byOpTrace
- INFO for regular tracing, DEBUG for more detailed information. See OpenTelemetry monitoring setup (NEVISAUTH-4508) - CHANGED: Change the way nevisAuth communicate to nevisMeta for Persisted Consent and Refresh Token from XML to JSON. (NEVISAUTH-4555)
- CHANGED: The scope in request parameter for OAuth 2.0/OpenID Connect can only separate by space
" "
. This is directly related to a breaking change in the Nimbus 3rd party library and you are only affected if you combine scopes manually with a "," separator. (NEVISAUTH-4535)
General Changes
- FIXED: A deadlock occurring in scenarios where several clients are using the same session attempt to authenticate at the same time. (NEVISAUTH-4525)
- FIXED: We fixed the error response for missing response type in Authorization requests. (NEVISAUTH-4494)
- UPGRADED: We upgraded the Apache EL third-party dependency to version 10.1.16. (NEVISAUTH-4535)
- UPGRADED: We upgraded the Apache XML beans third-party dependency to version 5.2.0. (NEVISAUTH-4535)
- UPGRADED: We upgraded the Bouncy castle third-party dependency to version 1.77. (NEVISAUTH-4535)
- UPGRADED: We upgraded the checker-qual third-party dependency to version 3.42.0. (NEVISAUTH-4535)
- UPGRADED: We upgraded the commons-cli third-party dependency to version 1.16.0. (NEVISAUTH-4535)
- UPGRADED: We upgraded the commons-lang3 third-party dependency to version 3.14.0. (NEVISAUTH-4535)
- UPGRADED: We upgraded the commons-text third-party dependency to version 1.11.0. (NEVISAUTH-4535)
- UPGRADED: We upgraded the jackson third-party dependencies to version 2.16.1. (NEVISAUTH-4535)
- UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.5. (NEVISAUTH-4535)
- UPGRADED: We upgraded the jaxws-rt third-party dependency to version 4.0.2. (NEVISAUTH-4535)
- UPGRADED: We upgraded the jetty third-party dependencies to version 11.0.19. (NEVISAUTH-4535)
- UPGRADED: We upgraded the HikarCP third-party dependency to version 5.1.0. (NEVISAUTH-4535)
- UPGRADED: We updated the Groovy third-party dependency to version 4.0.17. (NEVISAUTH-4535)
- UPGRADED: We updated the Guava third-party dependency to version 33.0.0-jre. (NEVISAUTH-4535)
- UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.27. (NEVISAUTH-4535)
- UPGRADED: We upgraded the kerb4j third-party dependency to version 0.2.0. (NEVISAUTH-4535)
- UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.3.2. (NEVISAUTH-4535)
- UPGRADED: We upgraded the nimbus oicd sdk third-party dependency to version 11.9. (NEVISAUTH-4535)
- UPGRADED: We upgraded the ldap-unboudid third-party dependency to version 6.0.11. (NEVISAUTH-4535)
- UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.1. (NEVISAUTH-4535)
- UPGRADED: We upgraded the xmlbeans third-party dependency to version 5.2.0. (NEVISAUTH-4535)
- UPGRADED: We upgraded the wss4j third-party dependency to version 3.0.2. (NEVISAUTH-4535)
- FIXED: The JWTToken and AccessTokenConsumer auth states now support private keys with elliptic curve algorithm when using PKCS11 integration. (Typically this is HSM) Note that in this case the keycurve parameter must be specified as the algorithm cannot be exctracted from the key itself. (NEVISAUTH-4449)
- FIXED: Initialization failure when using key material from HSM via PKCS11. (NEVISAUTH-4085)
- NEW: The X509Login auth state has a new configuration option
loadFileSystemFirst
, which allows to switch the load order of the key material when thecryptoMaterialSupplier
is configured toldapwithfilesystem
. By default, LDAP is loaded first and the filesystem afterwards, configuringloadFileSystemFirst=true
will first load the key material from the file system. (NEVISAUTH-4439) - NEW: We added OpenTelemetry metrics listing the configured auth state classes for analytical purposes. (NEVISAUTH-4503)
- NEW: Supporting PostgreSQL version 15.4. (NEVISAUTH-4564)
- NEW: We added support for using JWT Bearer Token for Client Authentication in Authorization Server. (NEVISAUTH-4397)
- NEW: We added support for JWT Bearer Grant. (NEVISAUTH-4512)
- NEW: We introduced the property
relayState.transformation
to disable automaticRelayState
encoding forServiceProviderState
. (NEVISAUTH-3972)
nevisAuth 7.2311.0.6 - 15.11.2023
Changes and new features
Breaking changes
- REMOVED: The FileSystemOOCDService is removed. For testing purposes use the LocalOutOfContextDataStore configuration (in-memory). For production purposes use the RemoteOutOfContextDataStore configuration (SQL-based). By default there is no OOCD configured as it is only required for certain use-cases. In case the use of OOCD is attempted when not configured it will throw an error at runtime. SAML and OAuth2 / OIDC flows both require OOCD. Also in any case if you used the OOCD in your esauth4.xml EL expressions or ScriptStates or custom java AuthStates. Visit OOCD Changes for additional information. (NEVISAUTH-4329)
- REMOVED: The El expression variables AuthDateUtils, DateFormatUtils, DateUtils, DateTimeZone, DateTime are removed. Use the following java.time classes instead: Duration, DateTimeFormatter, Instant, LocalDate, LocalDateTime, ZonedDateTime, ZoneOffset, ZoneId, ChronoUnit. Visit Appendix G For more see: tutorial and specification. (NEVISAUTH-4128)
- REMOVED: We removed the deprecated SapTicketValidator auth state. (NEVISAUTH-4126)
- REMOVED: We removed the deprecated FrontendKerberosAuthState and BackendKerberosAuthState auth states. The replacement for the FrontendKerberosAuthState is the KerberosLoginAuthState. The BackendKerberosAuthState has no replacement. (NEVISAUTH-3823)
- REMOVED: We removed the deprecated auth states ch.nevis.esauth.auth.states.standard.Dispatcher and ch.nevis.esauth.auth.states.jndi.DomainDispatcher. For dispatching purposes use the ConditionalDispatcherState instead. (NEVISAUTH-4131)
- REMOVED: We removed the deprecated demo auth states
ClientCertInfo
andClientCertFingerprint
. (NEVISAUTH-4213) - REMOVED: We removed the deprecated AuthHandoverState. (NEVISAUTH-4214)
- REMOVED: We removed the undocumented AuthDispatcher auth state. (NEVISAUTH-4445)
- REMOVED: We removed the deprecated aspsmssoap chanel in the Tan auth state, use the http channel instead. (NEVISAUTH-4135)
- REMOVED: We removed the third-party dependencies commons-collections, commons-lang, commons-digester, commons-beanutils which are optional dependencies of Jradius. In case if those would be required for your use-case, add those manually to the AuthState classpath. (NEVISAUTH-4164)
- REMOVED: We removed the joda-time third-party dependency. (NEVISAUTH-4128)
- REMOVED: We removed the commons-io third-party dependency. (NEVISAUTH-3887)
- REMOVED: We removed the bcprov-jdk15on and bcpkix-jdk15on third-party dependencies (replaced by jdk18on). (NEVISAUTH-4115)
- REMOVED: We removed the jcan-log and jcan-optrace third-party dependencies. OpTrace logging is replaced by OpenTelemetry. (NEVISAUTH-4089)
- REMOVED: We removed the backwards compatibility system property ch.nevis.esauth.wstrust.SecurityTokenService.SecTokenHackURI. (NEVISAUTH-2098)
- REMOVED: We removed the deprecated configuration option crlExpirationTolerance in the X509Login auth state, use the replacement revocationCheckExpirationTolerance instead. (NEVISAUTH-3931)
- REMOVED: Breaking changes in nevisAuth API and internal classes. Visit Java 17 Upgrade (NEVISAUTH-3931)
- REMOVED: The configuration option
connectionMaxRetry
of the remote session store was removed, no longer used with the new HikariCP based connection pooling. (NEVISAUTH-4097) - REMOVED: The configuration and notes property
smtpHost
andsmtpPort
of theSendMail
and theTan
auth states are removed. Usemail.smtp.host
andmail.smtp.port
instead. (NEVISAUTH-4201) - REMOVED: The deprecated http://www.adnovum.ch/schema/nevis_sectoken.xsd TokenType in the RequestSecurityToken object for the SecurityTokenService is removed, use http://nevis.ch/nevisauth/xsd/secToken#CSSO-1.0 instead. We no longer guess a default TokenType if none specified, clients must send the TokenType. (NEVISAUTH-4239)
- REMOVED:
jcan-saml
is now streamlined to it's sole purpose: verify SAML Assertions. Generation, signing and command line utilities are removed andjcan-saml-tools
is discontinued. (NEVISAUTH-4134) - REMOVED: Deprecated methods and command line utilities in
jcan-sectoken
are removed. (NEVISAUTH-3856) - REMOVED: Custom SessionId generation by configuring your custom class using "file://..." in the sessionIdRandomBytes is removed. (NEVISAUTH-4381)
- REMOVED: The deprecated securityLevel attribute of the esauth-server element in the esauth4.xml is removed. (NEVISAUTH-4387)
- REMOVED: The syncDelay, syncRefreshInterval attributes of the RemoteSessionStore are removed. (NEVISAUTH-4387)
- REMOVED: The
session
option of theservice.binding
configuration option was removed. The session bound web service client was not saved in the database therefore rendering the option useless in most setups. This option could be configured in theSecurityTokenServiceClient
,RadiusAuthState
,MobileSignatureState
. The default value remainsthread
. (NEVISAUTH-4424) - REMOVED: The
legacyjdbc
provider option for the RemoteSessionStore is removed. (NEVISAUTH-4279) - REMOVED: JavaScript support for the ScriptState is removed. Use groovy scripts instead. (NEVISAUTH-4369)
- CHANGED: OOCD, Session and SecToken related interfaces are changed to use Instant and Duration types instead of Date and long. The useGmt configuration option is removed from the TokenSpec in the TokenAssembler (default was useGmt=true). Note that in case you used useGmt=false in the TokenAssembler the system will be switched to use UTC and all currently valid sectokens in your system will become invalid as the issue date is part of the signature. (NEVISAUTH-4173)
- CHANGED: We now set the
java.io.tmpdir
system property by default to/var/opt/nevisauth/<instance>/tmp
. When nevisAuth is started, Jetty unpacks the nevisauth .war file there and requires it at runtime. Originally the system /tmp folder was used for this purpose, however at some cases it can happen that a system cleanup job deletes the Jetty prefixed directories which causes nevisAuth to return errors. (NEVISAUTH-4461) - CHANGED: The default
mail.transport.protocol
is nowstmps
. In case you didn't specify this, properties defined as mail.smtp will not work anymore. Change those to mail.smtps. (NEVISAUTH-4201) - CHANGED: The nevisAuth session API only accepts String attribute values. Previously it was possible to add any value. If it was not a String, a warning was logged and it was not saved to the database. This change can be tricky with ScriptStates as groovy does not do type-safe checks for the
session
Map used in the scripts. It is possible to add and retrieve a non String value inside the script, but a java.lang.ClassCastException happens in Java, to make finding errors easier nevisAuth will actively check for such cases after the execution of the script and throw an error detailing what is wrong. In your scripts you might have to change the behaviour to store a String value, by either changing your logic, or serialising your object to a String. (NEVISAUTH-4424) - CHANGED: New Jetty version used in nevisAuth performs more strict validation for TLS connections. The SNI will be checked for matching the hostname in the configured certificate. (NEVISAUTH-4089)
- CHANGED: The SQL based OOCD and remote session store user and password configuration fallback for the attributes are also applied if they are set to be empty. Schema user password now falls back together with the schema user, not independently. An empty user or password for the data user is no longer accepted. (NEVISAUTH-4480)
- UPGRADED: We upgraded the groovy third-party dependencies to version 4.0.15. See groovy 4 release notes for changes. (NEVISAUTH-4252)
- UPGRADED: We upgraded from EL-API 2.0 to EL-API 5.0. You should check your existing EL statements used for compatibility. (NEVISAUTH-4109)
- UPGRADED: We upgraded Servlet API to version 5. Migration from
javax.servlet
packages tojakarta.servlet
. (NEVISAUTH-4089) - NEW: ScriptStates now automatically imports the following three nevisAuth classes:
HttpClient
,Http
andHttpClients
HttpClients
is made available via binding, see the new way to create and use http clients below. Additionally, some of the most common classes from thejava.time
API. In case this causes a problem, this behaviour can be disabled by setting theaddAutoImports
configuration property tofalse
. - NEW: ScriptStates can create an HTTP client using the new
HttpClients.create()
method which will take the configuration properties automatically from the ScriptState configuration. Note that this method will cache the HTTP Client per ScriptState instance (So each ScriptState have it's own HTTP Client), therefore it will not be recreated at every request. (In case this is not desired, you can resort to the previously available creation methods.) This feature is only available for the ScriptStates and it is not available in other places. For the same reason, you should not importHttpClients
when using the new method. (That will result in a groovy exception that this method is not found.) - FIXED: We fixed the incorrect
issue_date
for refresh token. (NEVISAUTH-4469)
General Changes
- FIXED: We fixed NPE when Authorization Request to Authorization Server without client_id. (NEVISAUTH-4403)
- FIXED: Content Type header (
cty
) with valueJWT
is added for Access Tokens and ID Tokens that contain JWT tokens in the payload. (NEVISAUTH-4426). - FIXED: Type header (
typ
) with valueJWT
is added for the nested tokens within the payload of Access Tokens and ID Tokens. (NEVISAUTH-4426). - FIXED:
auth_time
claim is added to ID Tokens. (NEVISAUTH-4436). - FIXED: OAuth2 authorization request doesn't throw error from OOCD, the maximum length of the Client ID is limited to 500 characters. (NEVISAUTH-4401)
- FIXED: The SessionCoordinator accidentally releasing the writelock on the session when calling getSession in case the session was already writelocked from the same thread. This should only concern you if you directly use the SessionCoordinator in a custom auth state. Or if in a unit test you acquired the session for asserting some properties, in case the session was not released these test will possibly fail now (depending on what they are doing exactly). (NEVISAUTH-4442)
- FIXED: The session object sometimes incorrectly returns the creation and last access time. This should only concern you if you built any logic on those fields. (NEVISAUTH-4382)
- FIXED: The JWTToken and AccessTokenConsumer auth states now support private keys with elliptic curve algorithm when using PKCS11 integration. (Typically this is HSM) Note that in this case the
keycurve
parameter must be specified as the algorithm cannot be exctracted from the key itself. (NEVISAUTH-4449) - FIXED: The killSessions method of SessionCoordinator stopped killing sessions when an invalid session was found in the list of sessions to be killed. (NEVISAUTH-4382)
- CHANGED: Sessions are now actively removed from the local session store on invalidation. Previous fix allowing the session reaper to remove invalid sessions remains in place as a safety mechanism. Session invalidation is issued by ThottleSessionState and SAML logout (via the logout nevisAuth operation). (NEVISAUTH-4405).
- CHANGED: The MobileSignatureState is now using the CMS implementation from BouncyCastle instead of PKCS7. (NEVISAUTH-3814)
- CHANGED: The SapTicketIssuer is now using the CMS implementation from BouncyCastle instead of PKCS7. The auth state is no longer deprecated. (NEVISAUTH-4376)
- CHANGED: Method lookup in the EL expressions in esauth4.xml changed to prefer method matches with exact arguments than varargs. Previously the result of an expression could become unpredictable in case of using a method which also had a vararg variant. The result was randomly changing based on the order the methods were returned by reflection. Example expression method call susceptible to this error: StringUtils.join. (NEVISAUTH-4180)
- CHANGED: The deprecated Java X509Certificate.getSubjectDN() and X509Certificate.getIssuerDN() method calls were replaced in the nevisAuth codebase. nevisAuth used the non standard Java formatting getSubjectDN().getName() for getting the String DN representation. To remain backwards compatible we use X509Certificate.getSubjectX500Principal().toString() which executes the same formatting as the old one. Note that X509Certificate.getSubjectX500Principal().getName() will use RFC-2253 formatting, which is different than the non standard format - in case if you have to change this in custom auth states. The following auth states are affected: X509Login, MobileSignatureState, WSSHeaderValidation, SAML. Additionally certificate handling in general and the SecurityTokenService. Furthermore non standard RDN attribute separator / is no longer supported in the X509Login. (NEVISAUTH-4132)
- CHANGED: We now set the
java.io.tmpdir
system property by default to/var/opt/nevisauth/<instance>/tmp
. When nevisAuth is started Jetty unpacks the nevisauth .war file there and requires it at runtime. Originally the system /tmp folder was used for this purpose, however at some cases it can happen that a system cleanup job deletes the Jetty prefixed directories which causes nevisAuth to return errors. (NEVISAUTH-4461) - CHANGED: Added back the
connectionMaxLifeTime
for the remote session store and default value is now 1800000 (30 minutes). (NEVISAUTH-4473) - NEW: Added RHEL 9 support. (NEVISAUTH-4421)
- UPGRADED: We upgraded the Bouncy castle third-party dependency to version 1.76. (NEVISAUTH-4115)
- UPGRADED: We upgraded the checker-qual third-party dependency to version 3.39.0. (NEVISAUTH-4089)
- UPGRADED: We upgraded the commons-lang3 third-party dependency to version 3.13.0. (NEVISAUTH-4420)
- UPGRADED: We upgraded the jhlabs filters third-party dependency used in the CaptchaState to version 2.0.235-1. (NEVISAUTH-4124)
- UPGRADED: We upgraded the FastInfoset third-party dependency to version 2.1.0. (NEVISAUTH-4089)
- UPGRADED: We upgraded the jackson third-party dependencies to version 2.15.3. (NEVISAUTH-4089)
- UPGRADED: We upgraded the jakarta-activation-api, jakarta-annotation-api, jakarta-inject, jakarta-json-api third-party dependencies to version 2.1.1. (NEVISAUTH-4089)
- UPGRADED: We upgraded the jakarta-json-bind third-party dependency to version 3.0.0. (NEVISAUTH-4089)
- UPGRADED: We upgraded the jakarta-validation third-party dependency to version 3.0.2. (NEVISAUTH-4089)
- UPGRADED: We upgraded the jakarta.ws.rs.api third-party dependency to version 3.1.0. (NEVISAUTH-4089)
- UPGRADED: We upgraded the jakarta.xml.bind-api, jakarta.xml.ws-api third-party dependency to version 4.0.0. (NEVISAUTH-4089)
- UPGRADED: We upgraded the jakarta.xml.soap-api third-party dependencies to version 3.0.0. (NEVISAUTH-4089)
- UPGRADED: We upgraded the javassist third-party dependency to version 3.29.0-GA. (NEVISAUTH-4089)
- UPGRADED: We upgraded the jaxb-impl third-party dependency to version 4.0.2. (NEVISAUTH-4089)
- UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.1. (NEVISAUTH-4089)
- UPGRADED: We upgraded the jaxws-rt third-party dependency to version 4.0.1. (NEVISAUTH-4089)
- UPGRADED: We upgraded the jersey third-party dependencies to version 3.1.1. (NEVISAUTH-4089)
- UPGRADED: We upgraded the jetty third-party dependencies to version 11.0.17. (NEVISAUTH-4089)
- UPGRADED: We upgraded the json-smart third-party dependency to version 2.4.10. (NEVISAUTH-4163)
- UPGRADED: We upgraded the HikarCP third-party dependency to version 5.0.1. (NEVISAUTH-4089)
- UPGRADED: We upgraded the hk2-api third-party dependency to version 3.0.3. (NEVISAUTH-4089)
- UPGRADED: We upgraded the hk2-locator third-party dependency to version 3.0.3. (NEVISAUTH-4089)
- UPGRADED: We upgraded the hk2-utils third-party dependency to version 3.0.3. (NEVISAUTH-4089)
- UPGRADED: We upgraded the guava third-party dependency to version 32.1.3-jre. (NEVISAUTH-4089)
- UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.23. (NEVISAUTH-4089)
- UPGRADED: We upgraded the log4j third-party dependencies to version 2.20.0. (NEVISAUTH-4089)
- UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.2.0. (NEVISAUTH-4420)
- UPGRADED: We upgraded the mimepull third-party dependency to version 1.10.0. (NEVISAUTH-4089)
- UPGRADED: We upgraded the nimbus oicd sdk third-party dependency to version 11.2. (NEVISAUTH-4089)
- UPGRADED: We upgraded the ldap-unboudid third-party dependency to version 6.0.10. (NEVISAUTH-4089)
- UPGRADED: We upgraded the opensaml third-party dependencies to version 4.3.0. (NEVISAUTH-4075)
- UPGRADED: We upgraded the org.eclipse.persistence.asm third-party dependency to version 9.4.0. (NEVISAUTH-4089)
- UPGRADED: We upgraded the org.eclipse.persistence.core, org.eclipse.persistence.moxy third-party dependencies to version 4.0.1. (NEVISAUTH-4089)
- UPGRADED: We upgraded the saaj-impl third-party dependency to version 3.0.0. (NEVISAUTH-4089)
- UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.9. (NEVISAUTH-4089)
- UPGRADED: We upgraded the stax-ex third-party dependency to version 2.1.0. (NEVISAUTH-4089)
- UPGRADED: We upgraded the streambuffer third-party dependency to version 2.1.0. (NEVISAUTH-4089)
- UPGRADED: We upgraded the xmlbeans third-party dependency to version 5.1.1. (NEVISAUTH-4089)
- UPGRADED: We upgraded the yasson third-party dependency to version 3.0.2. (NEVISAUTH-4089)
- UPGRADED: We upgraded the wss4j third-party dependency to version 3.0.0. (NEVISAUTH-4075)
- UPGRADED: We upgraded the xmlsec third-party dependency to version 3.0.3. (NEVISAUTH-4393)
- DEPRECATED: Third party library commons-codec is deprecated, now only used as a transitive dependency while it is needed. (NEVISAUTH-4169)
nevisAuth 4.40.3.0 - 06.10.2023
Changes and new features
General Changes
- FIXED: SAML SP-initiated SOAP logout doesn't fail with a
NullPointerException
anymore. (NEVISAUTH-4444) - FIXED: Access tokens are now signed with
ES256
algorithm instead ofRS256
in case using Elliptic Curve keys. (NEVISAUTH-4427)
nevisAuth 4.40.2.2 - 25.09.2023
Changes and new features
General Changes
- FIXED: We fixed parallel requests producing a
StaleSessionException
when using the same nevisAuth session. The issue happened in the case when one of them killed the session. (NEVISAUTH-4422). - FIXED: The local session reaper now removes invalid sessions from memory to avoid filling it up. The issue can raise when using ThottleSessionState or SAML logout (via the logout nevisAuth operation). (NEVISAUTH-4405).
- FIXED: We fixed an error in the state handling of the session which caused the initial session state information to be lost when synchronizing to the database. This could cause that the pre genereated session id was not used despite printing the warning "Keeping existing session to honor sessionIdPreGenerate". The fix is only applicable to new sessions, existing sessions cannot be fixed. (NEVISAUTH-4017)
- FIXED: Content Type header (
cty
) with valueJWT
is added for Access Tokens and ID Tokens that contain JWT tokens in the payload. (NEVISAUTH-4426). - FIXED: Type header (
typ
) with valueJWT
is added for the nested tokens within the payload of Access Tokens and ID Tokens. (NEVISAUTH-4426). - FIXED:
auth_time
claim is added to ID Tokens. (NEVISAUTH-4436). - FIXED: The incorrect default file path was corrected to "/opt/nevisauth/plugin" which was producing the error
Skipping unreadable file or directory on classPath: /opt/nevisauth/plugin/lib
. This happens in the case when the auth state classPath is set together with aclassLoadStrategy="PARENT_LAST"
. In this case the path "/opt/nevisauth/plugin" is automatically added to the auth state classPath as the last entry. (NEVISAUTH-4433).
nevisAuth 4.40.1.0 - 30.08.2023
Changes and new features
General Changes
- FIXED: We have removed the validation between
client_id
in the token andclient_id
in AuthorizationHeader for token introspection endpoint. (NEVISAUTH-4402).
nevisAuth 4.40.0.10 - 16.08.2023
Changes and new features
This release requires manually patching the SQL-based OOCD - if it is in use. Refer to the breaking changes section below.
Breaking changes
- FIXED: The SQL OOCD incorrectly storing system default timezone timestamps in the reap_timestamp column. (The remote session store is not affected) After the fix always UTC timestamps will be stored. Existing data can be migrated with the following script if required. (in case your nevisFIDO instance was NOT running in UTC, or existing sessions are required to keep consistent)
UPDATE nevisauth_out_of_context_data_service SET reap_timestamp = CONVERT_TZ(reap_timestamp, 'Europe/Zurich', 'UTC');
Replace the proper timezone information in the script where nevisAuth was running! When you check the data, note that mysql or any other client will convert timestamps to the timezone of the session. So in order to see the UTC timestamp values in your sql client you have to change your client's session timezone to UTC in the current session:SET @@session.time_zone = '+00:00';
. (NEVISAUTH-4265) - CHANGED: The default remote session connector is replaced with a HikariCP based implementation which is now matching the OOCD implementation. The old behaviour is available via configuring
provider="legacyjdbc"
. This fallback option will be removed in the November release. The new implementation also brings new properties:connectionSchemaUser
,connectionSchemaPassword
which are used whenconnectionAutomaticDbSchemaSetup
is enabled (by default it is) to create the tables. In case of existing setups you might have to create a schema user or set theconnectionAutomaticDbSchemaSetup
to false. (if no schema user is provided nevisAuth will fall back on the regular connection user and if that has no table creation priviledges it will fail) Other new property is theconnectionTimeout
. Also note that since the MySQL support was removed in the May release this new implementation will throw an error if a MySQL jdbc url is configured. (The old implementation did not forbid that) (NEVISAUTH-4279) - CHANGED: Align default timestamp behaviour on database level to avoid having the MariaDB behaviour defined here for update operations. nevisAuth at this point is not affected. For non docker based setups the following script should be manually run. (NEVISAUTH-4285)
ALTER TABLE `TNSSA_AUTH_SESSION_CACHE` MODIFY COLUMN `ABSTO` TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6);
ALTER TABLE `nevisauth_out_of_context_data_service` MODIFY COLUMN `reap_timestamp` TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6);
General Changes
- FIXED: There is no
NullPointerException
printed into the log when an unauthenticated request calls the PAR endpoint. (NEVISAUTH-4248) - FIXED: We added a validation for Token Revocation service between client_id of the token and client_id that belong to authenticated call. (NEVISAUTH-3997)
- FIXED: The RelyingPartyState is now correctly using the nevisAuth HttpClient and adheres to the
httpclient.*
configuration options. It was using the HttpUrlConnection to access jwks_uri. (NEVISAUTH-4295) - FIXED: Excessive stacktraces printing java.lang.NoSuchMethodException on DEBUG level in EL expression evaluations is removed. (NEVISAUTH-4298)
- FIXED: The getHttpHeader method in the request object is now also properly accessible from EL expressions in the esauth4.xml. (NEVISAUTH-4331)
- FIXED: The SwissPhone TAN channel incorrectly sent UTF-8 encoded payload to the SMS provider. We now use ISO-8859-1 as stated by the provider specification. This fixes weird characters showing instead of umlauts in the text message for example. (NEVISAUTH-4321)
- FIXED: The AuthorizationServer transition with
invalid-redirect-uri
now displays an error message on the UI instead of redirecting to the invalid uri. (NEVISAUTH-4362) - NEW: The
AuthorizationServer
andAccessTokenConsumer
auth states now support Elliptic Curve (EC) keys besides RSA keys for Access Tokens. (NEVISAUTH-4358) - NEW: The
AuthorizationServer
auth state now supports ID Token encryption using keys from JWKS. You can either configure this inline, or in nevisMeta using the following properties for clients:jwks
,jwksUri
,idTokenEncryptedResponseAlg
,idTokenEncryptedResponseEnc
. As per specification, the encryption will be done when theidTokenEncryptedResponseAlg
property is set and the keys will be taken from thejwks
/jwksUri
. Additionally we also added the propertyidTokenSignedResponseAlg
which allows you to configure the ID Token signature algorithm. Further new properties are theopenid.jwks.httpclient.*
which will be used when downloading keys from the jwksUri. The changes above have no effect on the Access Token encryption / signing. (NEVISAUTH-4269) - NEW: The
AuthorizationServer
auth state now supports Refresh Token rotation. It can be enabled by setting therotateRefreshToken
property totrue
. (NEVISAUTH-4320) - NEW: We added support for the
acr
claim in the ID Token. To achieve this, we added a new propertyopenid.acr_values_supported
to theAuthorizationServer
andacr_values
to theRelyingPartyState
.DiscoveryService
returns the supportedacr
values in theacr_values_supported
property. (NEVISAUTH-4341) - NEW: The
AuthorizationServer
auth state now supports mapping between custom scope(s) and custom claim(s). (NEVISAUTH-4352) - UPGRADED: We updated the checker-qual third-party dependency to version 3.36.0. (NEVISAUTH-4324)
- UPGRADED: We updated the commons-codec third-party dependency to version 1.16.0. (NEVISAUTH-4324)
- UPGRADED: We updated the commons-fileupload third-party dependency to version 1.5. (NEVISAUTH-4324)
- UPGRADED: We updated the commons-io third-party dependency to version 2.13.0. (NEVISAUTH-4324)
- UPGRADED: We updated the eclipse moxy third-party dependency to version 2.7.12. (NEVISAUTH-4280)
- UPGRADED: We updated the Groovy third-party dependency to version 3.0.18. (NEVISAUTH-4324)
- UPGRADED: We updated the Guava third-party dependency to version 32.1.1-jre. (NEVISAUTH-4324)
- UPGRADED: We updated the Jackson third-party dependency to version 2.15.2. (NEVISAUTH-4280)
- UPGRADED: We updated the Jaxb & Jaxws-rt third-party dependency to version 2.3.6. (NEVISAUTH-4280)
- UPGRADED: We updated the Jaxrs third-party dependency to version 2.39.1. (NEVISAUTH-4280)
- UPGRADED: We updated the Jetty third-party dependency to version 9.4.51.v20230217. (NEVISAUTH-4280)
- UPGRADED: We updated the Joda time third-party dependency to version 2.12.5. (NEVISAUTH-4280)
- UPGRADED: We updated the json-smart third-party dependency to version 2.5.0. (NEVISAUTH-4280)
- UPGRADED: We updated the libphonenumber third-party dependency to version 8.13.17. (NEVISAUTH-4324)
- UPGRADED: We updated the ldap unboundid third-party dependency to version 6.0.9. (NEVISAUTH-4324)
- UPGRADED: We updated the log4j third-party dependency to version 2.20.0. (NEVISAUTH-4324)
- UPGRADED: We updated the Nimbus OAut2 SDK third-party dependency to version 10.11. (NEVISAUTH-4324)
- UPGRADED: We updated the MariaDB jdbc driver third-party dependency to version 3.1.4. (NEVISAUTH-4324)
- UPGRADED: We updated the slf4j third-party dependency to version 2.0.7. (NEVISAUTH-4324)
- UPGRADED: We updated the woodstock third-party dependency to version 6.5.1. (NEVISAUTH-4324)
- DEPRECATED: The remote session store property
connectionMaxRetry
is deprecated and will be removed without a replacement as it belongs to the old connector implementation. Similar behaviour can be controlled by the newconnectionTimeout
property. (NEVISAUTH-4279) - NEW: A new experimental
KerberosLoginAuthState
is now available and will replace the functionality of the deprecatedFrontendKerberosAuthState
in the November 2023 release. For further details see the updated Kerberos Integration chapter and the description of the KerberosLoginAuthState. (NEVISAUTH-4193) - DEPRECATED: JavaScript support for the ScriptState is deprecated and will be removed in the November 2023 rolling release. (NEVISAUTH-4369)
- DEPRECATED: Custom SessionId generation by configuring your custom class using "file://..." in the sessionIdRandomBytes is deprecated and will be removed in the November 2023 release. (NEVISAUTH-4381)
- DEPRECATED: The securityLevel attribute of the esauth-server element in the esauth4.xml is deprecated and will be removed in the November 2023 release. (NEVISAUTH-4387)
- EXPERIMENTAL: Introduced support for PostgreSQL 15.0-15.3 databases for the Remote Session Store and the OutOfContextDataService. (NEVISAUTH-4390)
- NEW: The Http Clients supplied by nevisAuth can now be configured programatically. (NEVISAUTH-4350)
nevisAuth 4.39.3.1 - 07.08.2023
Changes and new features
- FIXED: We fixed nevisAuth cannot understand some data from nevisMeta. (NEVISAUTH-4291)
nevisAuth 4.39.2.0 - 10.07.2023
Changes and new features
- FIXED: We fixed NPE for
IdentityProviderState
when SP is not configured. (NEVISAUTH-4304) - FIXED: We fixed the expired SecToken causing HTTP 500 error when trying to acquire the sessionId. This case is handled the same if the session is not found, or if it is already removed. (NEVISAUTH-4297)
- FIXED: We fixed the concurrency issue where that SAML message sign and signature verification threads sometimes used wrong keys in case HSM was configured. (NEVISAUTH-3952)
nevisAuth 4.39.1.0 - 05.06.2023
Changes and new features
- FIXED: We fixed the incorrect calculation of the absolute timeout (absto), when the reaperTimeoutTolerance was not set. It's default value, 10% of the sessionMaxLifetime, was improperly calculated. This bug was introduced in the 2023 February release. (NEVISAUTH-4272)
- FIXED: We fixed a concurrency issue in the DocumentProcessor and ConditionalDocumentProcessor auth states, which caused errors when the documents were refreshed. These errors occurred, because the document object was constructed using lazy initialization. This is no longer the case, which might increase memory usage when dealing with big xml documents. In case you experience a problem with this change, you can use the
parser.lazyLoading
backwards compatibility flag to restore the old behaviour. (NEVISAUTH-4268)
nevisAuth 4.39.0.6 - 17.05.2023
Changes and new features
Breaking changes
- CHANGED: The
nevisauth-test-authstateharness
testing framework and the nevisAuth SDK examples now use JUnit 5. (NEVISAUTH-3865) - CHANGED: We simplified the JSON event logging in nevisAuth. The
nevisevents-1.1.6.2.jar
has been removed, the system property-Dch.nevis.events.config
is no longer used andnevisevents.xml
is not used. To enable the JSON event logging configure thech.nevis.esauth.events
logging category in the logging.yml toINFO
. To disable it configure thech.nevis.esauth.events
logging category toFATAL
. The previous logging categorynevis.events
is no longer effective, replace that withch.nevis.esauth.events
. Note that previously this logging category did not exists, therefore the logging level of the root logger will be applied to older nevisAuth instances. (NEVISAUTH-3937) - CHANGED: We added a validation for the token endpoint request. From now on the AuthorizationServer will not accept requests of a confidential client using an authentication method that doesn't match the one specified in the configuration of this client. If the authentication method for a confidential client is not set in the configuration, it's assumed to be
client_secret_basic
, as the standard mandates. (NEVISMETA-1859) - REMOVED: We removed the
nevis-common-commons-1.0.10.0.jar
library from nevisAuth, what was required from those for nevisAuth are now part of the nevisAuth code. (NEVISAUTH-3937) - REMOVED: We removed the
UsernameToken
auth state. Use theWSSHeaderValidation
instead with the transitionuntoken
. (NEVISAUTH-4056) - REMOVED: We removed the custom database driver setting mechanism using Class.forName() for the remote session store. In kubernetes environments this sporadically caused nevisAuth to hang on startup, which was caused by a static intializer block deadlock between java.sql.DriverManager and org.mariadb.jdbc.Driver. Now the determination of which database driver should be used is entirely decided by the JDBC drivers on the classpath based on the supplied JDBC url. In case you use MySql, the database driver is determined by the implementation details of the driver. (NEVISAUTH-4076)
- REMOVED: Deprecated sectoken formats
0.9
,1.0
,ASN1-1.0
are removed. Recommended format is CSSO-1.0. (NEVISAUTH-4011) - REMOVED: We removed the
vmargs
legacy command in administrative cli. Use thenevisauth <instance> config env
to configure theJAVA_OPTS
. (NEVISAUTH-3134) - REMOVED: We removed the deprecated MySQL support in the remote session store. (NEVISAUTH-4078)
General Changes
- UPGRADED: We updated the Jackson third-party dependency to version 2.15.0. (NEVISAUTH-3964)
- UPGRADED: We upgraded the json-smart third-party dependency to version 2.4.10. (NEVISAUTH-4163)
- UPGRADED: We upgraded Snakeyaml third-party dependencies to version 2.0. (NEVISAUTH-3964)
- NEW:
AuthRequest
now have a methodgetHttpHeader(String headerFieldName)
to allow getting HTTP headers case insensitively in the esauth4.xml, custom auth states and groovy script states. (NEVISAUTH-4059) - NEW: We introduced Force Pushed Authorization Requests configuration for Authorization Server. (NEVISMETA-1857)
- NEW: We added setting for Force Pushed Authorization Requests Endpoint configuration for OAuth2 Server Metadata/OIDC Discovery endpoint. (NEVISMETA-1857)
- NEW: We added REST service for Force Pushed Authorization Requests Endpoint. (NEVISMETA-1857)
- NEW: We added option
client_secret_post
fortokenEndpointAuthMethod
inAuthorizationServer
. (NEVISMETA-1858) - CHANGED:
ConsentState
now creates HttpClient per auth state, not per request. (NEVISAUTH-3596) - CHANGED: The excessive warning message
renderElement evaluated to 'null'
is now only logged on debug level. (NEVISAUTH-4096) - CHANGED: Logging of the OAuth2 metadata that was newly fetched from nevisMeta is moved to
DEBUG
fromINFO
inOAuth2
logger. (NEVISAUTH-4185) - CHANGED: The excessive warning message
AuthState '<AuthState>' did not specify a GUI descriptor for GUI 'null'. HINT: if this AuthState displays a GUI, check the configuration
is now only logged on debug level. (NEVISAUTH-3757) - CHANGED: Some startup related log messages from
EsAuthSv
andAuthEngine
are moved toEsAuthStart
. (NEVISAUTH-4225) - FIXED: The
httpclient.connection.timeout
was handled incorrectly causing the value set to be ignored and defaulting to a 3minute timeout. This property now properly commands the connection & socket timeout together. New default value is a more reasonable 30 seconds. (NEVISAUTH-4063) - FIXED: We fixed the issue where special characters in the input validation triggered an error:
org.mozilla.javascript.EvaluatorException: missing ; before statement
. (NEVISAUTH-3222) - FIXED: We removed the excessive stacktrace printing on DEBUG log level in case of the message
No resource found for
. (NEVISAUTH-4111) - FIXED: We fixed the incorrectly calculated
x5t#S256
value by the JWTToken auth state. (NEVISAUTH-4198) - FIXED: We fixed the issue that the OAuth 2.0 Authorization Server Metadata endpoint sometimes showed outdated information. (NEVISAUTH-4242)
- FIXED: We fixed the error handling of the StaleSessionException, which incorrectly caused authentication call failure. Normally some events should be only logged on info level. (NEVISAUTH-4256)
- DEPRECATED: The
SAPTicketIssuer
andSAPTicketValidator
auth states are deprecated, they will be removed in one of the the upcoming releases. (NEVISAUTH-4126) - DEPRECATED: Previously deprecated auth states ch.nevis.esauth.auth.states.standard.Dispatcher and ch.nevis.esauth.auth.states.jndi.DomainDispatcher will be removed in the upcoming releases. For dispatching purposes use the ConditionalDispatcherState instead. (NEVISAUTH-4131)
- DEPRECATED: The method
getHttpHeaderFromRequest
in theAuthState
base class is deprecated and will be removed in one of the upcoming releases. Use the new request.getHttpHeader instead. (NEVISAUTH-4059) - DEPRECATED: The verifySignature, verifyTrust, ignoreDataEncryption, ignoreKeyEncryption, extractX509SignerCertOnly and allowNamespaceQualifiedPasswordTypes configuration options in the
WSSHeaderValidation
auth state are deprecated and planned to be removed without replacement. (NEVISAUTH-3522) - DEPRECATED: The configuration and notes property
smtpHost
andsmtpPort
of theSendMail
and theTan
auth states are deprecated and will be removed in one of the upcoming releases. Usemail.smtp.host
andmail.smtp.port
(ormail.smtps.host
andmail.smtps.port
if you defined smtps, more about smtps here) instead. (NEVISAUTH-4201) - DEPRECATED: The demo auth states
ClientCertInfo
andClientCertFingerprint
are deprecated and will be removed in one of the upcoming releases. (NEVISAUTH-4213) - DEPRECATED: The
locale
property of theSecurityTokenServiceClient
is deprecated and will be removed without a replacement in one of the upcoming releases. By deault UTC is used. (NEVISAUTH-4173) - DEPRECATED: The
useGmt
property of theTokenSpec
configuration in the esauth4.xml is deprecated and will be removed without a replacement in the future. The default value is true. (NEVISAUTH-4173) - DEPRECATED: In the ScriptStates the
oocd
has been deprecated before and we described that it will be replaced by thedataPersistenceService
. We realized this might be not ideal, therefore we going to keep theoocd
and remove thedataPersistenceService
in the 2023 November release. Note that deprecated methods in theoocd
will be removed. (NEVISAUTH-4150) - DEPRECATED: The default file based OOCD is deprecated and will be removed in the 2023 November release. For production setups SQL based implementation is recommended. For testing purposes an in memory replacement will be introduced. (NEVISAUTH-4150)
- DEPRECATED: All deprecated nevisAuth API will be consolidated in the 2023 November release. Most of these will be removed and migration to recommended alternatives will be required. Some will be un-deprecated. (NEVISAUTH-4150)
nevisAuth 4.38.4.0 - 18.04.2023
Changes and new features
- FIXED: We fixed the incorrectly calculated
x5t#S256
value by the JWTToken auth state. (NEVISAUTH-4198) - FIXED: We fixed the issue that in some cases nevisAuth could not parse the OAuth2 metadata fetched from nevisMeta. (NEVISAUTH-4210)
- FIXED: We added missing required property
id_token_signing_alg_values_supported
of OpenID Connect Discovery service. (NEVISAUTH-4238)
nevisAuth 4.38.3.0 - 27.03.2023
Changes and new features
- CHANGED: To protect better against XML Signature Wrapping Attacks, we count the number of Response and Assertion elements in SAML responses. (NEVISAUTH-4152)
nevisAuth 4.38.0.12 - 15.02.2023
Changes and new features
Breaking changes
- CHANGED: All HTTP client implementations of nevisAuth and the corresponding auth states have been replaced with a new implementation, visit the migration guide for more details. (NEVISAUTH-3513)
- CHANGED: We did a major cleanup in the session handling, which has 2 implications for custom AuthStates: the
LocalSession
type was merged into theSession
type, theSessionCoordinator
interface now contains all operations accessed by AuthStates therefore theLocalSessionCoordinator
was deleted. (NEVISAUTH-3902) - CHANGED: Breaking changes in the session configuration. The
SessionCache
element is removed, configuration attributes are redistributed to theSessionCoordinator
,SessionIndexing
,LocalSessionStore
andRemoteSessionStore
elements. Most of the default values changed. Documented in more details in the migration guide. (NEVISAUTH-3902) - REMOVED: We renamed the
Store
logging category toLocalSessionStore
andSyncer
toRemoteSessionStore
. (NEVISAUTH-3902) - REMOVED: We removed the
name
,mode
,proxyTarget
,proxyProvider
,sessionCheckAccessOnly
,sessionEstablishedAccessOnly
,joinPolicy
attributes and theAccessController
,HandoverPolicy
,Monitor
child elements from theSessionCoordinator
section of theesauth4.xml
. (NEVISAUTH-3902) - REMOVED: We removed the
name
,notifierThreads
attributes and theStaticSessionMember
child element from theSessionCache
section of theesauth4.xml
. (NEVISAUTH-3902) - REMOVED: We removed the
AccessController
child element from theAuthEngine
section of theesauth4.xml
. (NEVISAUTH-3902) - REMOVED: The deprecated AdfsTokenRequester auth state has been removed without replacement. (NEVISAUTH-3654)
- REMOVED: The deprecated SwissPhoneXml TAN channel has been removed, use the SwissPhone TAN channel instead. (NEVISAUTH-3645)
- REMOVED: The deprecated EMI/UCP TAN channel is removed without a replacement. (NEVISAUTH-3472)
- REMOVED: The ch.nevis.esauth.auth.states.saml.AuthnRequestProvider is removed without a replacement. (NEVISAUTH-3945)
- REMOVED: The ch.nevis.esauth.auth.states.saml.ProviderCommon is removed without a replacement. (NEVISAUTH-3945)
- REMOVED: The ch.nevis.esauth.auth.states.saml.SAMLProtocolDispatcher is removed without a replacement. (NEVISAUTH-3945)
- REMOVED: The deprecated
AssembleInArgs
,CreateSessionState
,SetIntoSession
,AddEncodedOutArgs
,AddSecurityRole
,OutArgsToSession
auth states are removed and superseeded by theTransformAttributes
. Note that theTransformAttributes
does not keep the order of the property elements in theesauth4.xml
, so do not rely on the order of how the variables are defined. Additionally, the syntax=~
is no longer supported in thecondition
of the property name. (NEVISAUTH-3971) - REMOVED: The http support in DocumentProcessor and ConditionalDocumentProcessor AuthStates property parser.schema is removed. (NEVISAUTH-3658)
- REMOVED: The dependency jcan-sec is removed. In case you used packages
ch.nevis.jcan.sec.tools.*
in your AuthState, you can replace that functionality with standard Java features or Bouncy Castle. (NEVISAUTH-3862) - REMOVED: Configuration file
esauth4.management.xml
used only for v1 and v2 nevisAdmin is removed. (NEVISAUTH-2520) - REMOVED: The backwards compatibility flag
useStaticIv
is removed. You can no longer enable insecure encryption inReadFromCacheState
,ConditionalDocumentProcessor
, andTransformAttributes
. (NEVISAUTH-2695) - REMOVED: We removed the Groovy test libraries
groovy-test
,groovy-test-junit5
,groovy-testng
and their dependencies from/opt/nevisauth/plugin/
. As Groovy is used in ScriptStates, it cannot use test classes in production code. (NEVISAUTH-3938) - UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.6, which has a breaking change in custom AuthStates testing setups. Instead of
log4j-slf4j-impl
, use the new log4j implementationlog4j-slf4j2-impl
. (NEVISAUTH-3956) - UPGRADED: We upgraded the mariadb-java-client third-party dependency to version 3.1.2. In case you used configuration parameters in the JDBC url check the removed options here. Other notable difference is that the driver no longer sets certain properties including the autocommit check your database configuration and add the
?autocommit=true
to your connection url if needed. The new driver also allows better logging options, see here. (NEVISAUTH-3977)
General Changes
- NEW:
AuthorizationServer
now supportsresponse_mode=form_post
for the authorization code flow. (NEVISAUTH-3596) - NEW:
AuthorizationServer
withdataSource=nevismeta
can now skip for a while the metadata updates triggered by an unknown client. (NEVISAUTH-3918) - NEW:
acsUrlWhitelist.uris
inIdentityProviderState
supports Asterisk wildcard at the beginning and end of the URIs. (NEVISAUTH-3949) - NEW: Experimental feature: Configure
acsUrlWhitelist.uris.refresh.period
inIdentityProviderState
to automatically refresh the value ofacsUrlWhitelist.uris
. The feature works with classic VM deployments only. (NEVISAUTH-3949) - NEW: For the JWTToken auth state, you can now configure the Key Identifier
kid
header parameter. (NEVISAUTH-3839) - NEW: The JWTToken auth state now automatically generates the X.509 certificate SHA-256 thumbprint header parameter
x5t#S256
when a private key is supplied as part of the auth state configuration. (NEVISAUTH-3839) - NEW: Gui element labels now support the usage of expression language (EL), for example:
<Gui name="account" label="#{something == 'someting' ? 'title.no_account' : 'title.account'}">
(NEVISAUTH-3675) - NEW: Gui element has an additional optional attribute
renderElement
with expression language (EL) support. This attribute defines whether the gui element will be sent to nevisLogRend to be rendered. (NEVISAUTH-3675) - NEW:
AuthorizationServer
now supportsresponse_mode=form_post
for the authorization code flow. (NEVISAUTH-3596) - CHANGED:
StringUtils
,StringEscapeUtils
,DateFormatUtils
,DateUtils
used inesauth4.xml
expressions now uses commons-lang3, which is backwards compatible. (NEVISAUTH-1864) - CHANGED: HttpClients in AuthStates are now created at AuthState initialization and not per request processing. Connection pooling can be properly configured now. (NEVISAUTH-4010)
- CHANGED: Communication between nevisAuth and nevisMeta configured in the
AuthorizationServer
uses theETag
and theIf-None-Match
headers. You have to upgrade nevisMeta to 1.18.x.y before upgrading nevisAuth to 4.38.x.y. (NEVISAUTH-3918) - FIXED: RadiusFacade was filling up the memory with diagnostic messages in
ThreadLocal
of the worker thread. The issue is now fixed. (NEVISAUTH-3891) - FIXED: Java Util Logging messages were incorrectly logged in
/var/log/messages
due to previous log4j2 upgrade causing the JUL bridging to not work correctly. The proper configuration is now added automatically at runtime. In case you relied on checking the message "JAX-WS servlet initializing" to see if nevisAuth is started, you have to enablecom.sun.xml.ws
on INFO level to still see this message. (NEVISAUTH-3826) - FIXED: Too long errorDetail triggering IOException in OperationFailedEvent and OperationOngoingEvent. The errorDetail is now trimmed in case if it is exceeding the limit. (NEVISAUTH-3933)
- FIXED: Access token generated by refresh token and client credential grant missing issuer. We now added issuer to the access token. (NEVISAUTH-3922)
- FIXED: AuthorizationServer initiated excessive requests towards nevisMeta when multiple requests arrived having client was not found. We introduced several improvements in this area. (NEVISAUTH-3840)
- FIXED: Invalid negative Token TTL values are set to 0 (zero). If this occurs, a debug message is generated
Session already expired because notAfter has passed. Setting ttl=0"
. (NEVISAUTH-3999) - FIXED: Fixed a locking failure in the process of upgrading sessions to the authenticated state when idPreGenerate is enabled and the session has been already authenticated once. A warning is also introduced telling that this state is a likely missconfiguration in the system. (NEVISAUTH-4014)
- FIXED: Fixed failure to create SecTokens using Securosys HSM key material. Sideaffect of NEVISAUTH-3838 introduced in the November release. (NEVISAUTH-4018)
- NEW:
AuthorizationServer
now supportsresponse_mode=form_post
for the authorization code flow. (NEVISAUTH-3596) - UPGRADED: We upgraded the checker-qual third-party dependency to version 3.29.0. (NEVISAUTH-3985)
- UPGRADED: We upgraded the eclipse moxy third-party dependency to version 2.7.11. (NEVISAUTH-3925)
- UPGRADED: We upgraded the Groovy third-party dependency to version 3.0.14. (NEVISAUTH-3985)
- UPGRADED: We upgraded the jackson third-party dependency to version 2.14.1. (NEVISAUTH-3925)
- UPGRADED: We upgraded the Jaxen third-party dependency to version 2.0.0. (NEVISAUTH-4021)
- UPGRADED: We upgraded the Jetty third-party dependency to version 9.4.50.v20221201. (NEVISAUTH-3985)
- UPGRADED: We upgraded the joda-time third-party dependency to version 2.12.2. (NEVISAUTH-3925)
- UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.5. (NEVISAUTH-3985)
- UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.6. (NEVISAUTH-3953)
- UPGRADED: We upgraded the snakeyaml third-party dependency to version 1.33. (NEVISAUTH-3925)
- UPGRADED: We upgraded the ldap unboundid third-party dependency to version 6.0.7. (NEVISAUTH-3953)
- UPGRADED: We upgraded the woodstox-core third-party dependency to version 6.5.0. (NEVISAUTH-3953)
- DEPRECATED: commons-lang version 2 is replaced with commons-lang3 in the nevisAuth codebase. We recommend to replace commons-lang version 2 in your custom AuthState. Version 2 is planned to be removed once it is not required by third-party dependencies. (NEVISAUTH-1864)
- DEPRECATED: In the future, nevisAuth will upgrade the internal
jcan-sectoken
library to version 2.x. This will remove support forASN1
tokens. This step is necessary from a maintenance and security aspect as theASN1
token support relies on proprietary libraries Nevis has no control over. (NEVISAUTH-3984) - DEPRECATED: The
syncDelay
,syncRefreshInterval
andsyncThreads
attributes of theRemoteSessionStore
are deprecated. (NEVISAUTH-3936) - DEPRECATED: The
AuthHandoverState
auth state is deprecated. (NEVISAUTH-3934) - DEPRECATED: The
UsernameToken
auth state is deprecated, use theWSSHeaderValidation
instead. (NEVISAUTH-3940)
nevisAuth 4.37.1.1 - 30.11.2022
Changes and new features
General Changes
- FIXED: AuthorizationServer initiated excessive requests towards nevisMeta when multiple requests arrived having client was not found. We introduced several improvements in this area. (NEVISAUTH-3840)
- FIXED: Too long errorDetail triggering IOException in OperationFailedEvent and OperationOngoingEvent. The errorDetail is now trimmed in case if it is exceeding the limit. (NEVISAUTH-3933)
- FIXED: RadiusFacade was filling up the memory with diagnostic messages in
ThreadLocal
of the worker thread. The issue is now fixed. (NEVISAUTH-3891) - NEW: AuthorizationServer AuthState now uses pooled connections towards nevisMeta. Maximum size of the connection pool can be configured via
nevismeta.http.connection-manager.max-total
. (NEVISAUTH-3840)
nevisAuth 4.37.0.2 - 16.11.2022
Changes and new features
Breaking changes
- REMOVED: The deprecated
ch.nevis.esauth.auth.states.jndi.ConditionalDispatcherState
is removed, use thech.nevis.esauth.auth.states.standard.ConditionalDispatcherState
instead. Package rename only. (NEVISAUTH-3822) - REMOVED: The deprecated
ch.nevis.esauth.auth.states.mtan.MTANMailAuthState
is removed, use thech.nevis.esauth.auth.states.tan.TANState
instead. AuthState rename only. (NEVISAUTH-3822) - REMOVED: The deprecated
ch.nevis.esauth.auth.states.sectoken.SecTokenAssembler
is removed, use thech.nevis.esauth.auth.states.sectoken.TokenAssemblerState
instead. (NEVISAUTH-3822) - REMOVED: The deprecated
ch.nevis.esauth.auth.states.standard.AuthCheckSingleSession
is removed, use thech.nevis.esauth.auth.states.standard.ThrottleSessionsState
instead. (NEVISAUTH-3822) - REMOVED: The deprecated
ch.nevis.esauth.auth.states.standard.SOAPDispatcher
is removed without replacement. (NEVISAUTH-3822) - REMOVED: The deprecated
ch.nevis.esauth.auth.states.standard.SendMail
is removed, use thech.nevis.esauth.auth.states.mail.SendMail
instead. Package rename only. (NEVISAUTH-3822) - REMOVED: The deprecated
ch.nevis.esauth.auth.states.saml.Consumer
is removed, use thech.nevis.esauth.auth.states.saml.ServiceProviderState
instead. (NEVISAUTH-3822) - REMOVED: The deprecated
ch.nevis.esauth.auth.states.saml.Provider
is removed, use thech.nevis.esauth.auth.states.saml.IdentityProviderState
instead. (NEVISAUTH-3822) - REMOVED: The deprecated
ch.nevis.esauth.auth.states.saml.RequestProcessor
is removed, use thech.nevis.esauth.auth.states.saml.IdentityProviderState
instead. (NEVISAUTH-3822) - REMOVED: The deprecated SAML 1.1
ch.nevis.esauth.auth.states.saml.SAMLAssertion
is removed without replacement. (NEVISAUTH-3822) - REMOVED: The deprecated SAML 1.1
ch.nevis.esauth.auth.states.saml.SAMLResponse
is removed without replacement. (NEVISAUTH-3822) - REMOVED: The deprecated SAML 1.1
ch.nevis.esauth.auth.states.saml.SAMLResponse_WLS
is removed without replacement. (NEVISAUTH-3822) - REMOVED: The deprecated
ch.nevis.esauth.auth.states.wsTrustClient.WsTrustClientState
is removed, use thech.nevis.esauth.auth.states.wstrust.SecurityTokenServiceClient
instead. (NEVISAUTH-3822) - REMOVED: The deprecated
ch.nevis.esauth.auth.states.xml.SecTokenSecuredUrlDomProvider
is removed, use thech.nevis.esauth.auth.states.xml.DynamicIntervalUrlDomProvider
instead. This is a utility class. (NEVISAUTH-3822)
General Changes
- DEPRECATED: The
ch.nevis.esauth.auth.states.saml.AuthnRequestProvider
is deprecated and is planned to be removed without a replacement in the next release. (NEVISAUTH-3822) - DEPRECATED: The
ch.nevis.esauth.auth.states.saml.ProviderCommon
is deprecated and is planned to be removed without a replacement in the next release. (NEVISAUTH-3822) - DEPRECATED: The
ch.nevis.esauth.auth.states.saml.SAMLProtocolDispatcher
is deprecated and is planned to be removed without a replacement in the next release. (NEVISAUTH-3822) - DEPRECATED: The Kerberos AuthStates are deprecated and is planned to be replaced with a new implementation in a future release. (NEVISAUTH-3823)
- DEPRECATED: The http support in
DocumentProcessor
andConditionalDocumentProcessor AuthStates
propertyparser.schema
is deprecated. (NEVISAUTH-3658) - DEPRECATED: The
AdfsTokenRequester
auth state is deprecated without replacement, is planned to be removed in the next release. (NEVISAUTH-3654) - DEPRECATED: The old
SwissPhoneXml
TAN channel is deprecated, use theSwissPhone
TAN channel instead. (NEVISAUTH-3645) - DEPRECATED: Resource pools are deprecated and is planned to be removed without a replacement in a future release. (NEVISAUTH-3657)
- DEPRECATED: Configuration section
Monitor
in theesauth4.xml
is deprecated. (NEVISAUTH-2700) - DEPRECATED: Configuration file
esauth4.management.xml
is deprecated, and used only for v1 and v2 nevisAdmin. (NEVISAUTH-2520) - DEPRECATED: The EMI/UCP channel in the TANState AuthState is deprecated. (NEVISAUTH-3472)
- DEPRECATED: Supplying custom SessionCoordinator implementation via the system property
ch.nevis.esauth.sess.SessionCoordinator
is deprecated and is planned to be removed without a replacement in the next release. (NEVISAUTH-3902) - DEPRECATED: SessionCoordinator attribute mode is deprecated and is planned to be removed without a replacement in the next release. (NEVISAUTH-3902)
- DEPRECATED: SessionCoordinator property AccessController mode is deprecated and is planned to be removed without a replacement in the next release. (NEVISAUTH-3902)
- CHANGED: Discovery endpoint shows
subject_type_support
whenAuthorizationServer
setopenid.support
to true. (NEVISAUTH-3779) - CHANGED: JWKs Service or JWKs URI must set when
AuthorizationServer
setopenid.support
to true. (NEVISAUTH-3779) - CHANGED: We now validate upon nevisAuth startup that the SecToken signer privateKey and certificate are matching key material pairs. (NEVISAUTH-3838)
- FIXED: Fixed a png string comparison issue in the CaptchaState. (NEVISAUTH-3765)
- FIXED: Fixed a session flag string comparison issue in the MobileSignatureState. (NEVISAUTH-3765)
- FIXED: Fixed locking related performance issue in the session cache which caused general response time spikes when the session reaper run and the
EnablePollTerminatedCalls
was set to true in theesauth4Connector
innevisProxy
. (NEVISAUTH-3781) - FIXED: Improved exception handling of invalid sessions to reduce the number of error logs and stacktraces in scenarios where this is to be expected. (NEVISAUTH-3727)
- FIXED: Inconsistent remote and local session cache leading to a StackOverflowError. (NEVISAUTH-3726)
- FIXED: All certificates are now correctly parsed from KeyObjects into SecToken trust. (NEVISAUTH-3291)
- UPGRADED: jetty third party dependency is upgraded to version 9.4.49.v20220914. (NEVISAUTH-3804)
- UPGRADED: checker-qual third party dependency is upgraded to version 3.25.0. (NEVISAUTH-3804)
- UPGRADED: groovy-all third party dependency is upgraded to version 3.0.13. (NEVISAUTH-3804)
- UPGRADED: jackson third party dependency is upgraded to version 2.13.4. (NEVISAUTH-3804)
- UPGRADED: joda-time third party dependency is upgraded to version 2.11.1. (NEVISAUTH-3804)
- UPGRADED: libphonenumber third party dependency is upgraded to version 8.12.55. (NEVISAUTH-3804)
- UPGRADED: log4j2 third party dependency is upgraded to version 2.19.0. (NEVISAUTH-3804)
- UPGRADED: snakeyaml third party dependency is upgraded to version 1.32. (NEVISAUTH-3788)
- UPGRADED: unboundid-ldapsdk third party dependency is upgraded to version 6.0.6. (NEVISAUTH-3804)
- UPGRADED: oauth2-oidc-sdk third party dependency is upgraded to version 9.43.1. (NEVISAUTH-3805)
- NEW:
client.[clientId].secret
inAuthorizationServer
supports resolving configuration value from external variables. See chapterPasswords in the configuration
in the reference guide for more details. (NEVISAUTH-3791) - NEW:
clientSecret
in RelyingPartyState supports resolving configuration value from external variables. See chapter Passwords in the configuration in the reference guide for more details. (NEVISAUTH-3791) - NEW: We introduced the property
out.post.relayStateEncoding
for encode post bindingRelayState
forIdentityProviderState
. (NEVISAUTH-3800)
nevisAuth 4.36.1.1 - 31.08.2022
Changes and new features
General Changes
- FIXED: After upgrading oauth2-oidc-sdk library, the client_id in Access Token was wrapped wrongly as
{ "value": "<client_id>" }
. Now the wrapping is fixed. (NEVISAUTH-3766)
nevisAuth 4.36.0.4 - 17.08.2022
Changes and new features
Breaking changes
- REMOVED: The deprecated HttpAuthState is removed. Refer to the ScriptState [documentation] for replacement options.
General Changes
- FIXED: We fixed the bug where the Long Access token TTL resulted in incorrect backlisting time. (NEVISAUTH-3627)
- FIXED: SAML AuthStates are now able to handle AuthNRequests without issuer. (NEVISAUTH-3635)
- FIXED: We fixed the duplicated key index definition in SqlOOCDService implementation. The change affects the automatic table creation in the nevisAuth component. No automatic migration is provided. The side-effect of the current behaviour is increased disk space usage, as the key index values are stored twice. (NEVISAUTH-3626)
To fix or migrate existing systems, delete the duplicate index, assuming that the table definition from the reference guide or by the nevisAuth component are used:
DROP INDEX IF EXISTS key_idx ON nevisauth_out_of_context_data_service;
If a custom SQL script was used to create the database table, or it is not clear which index should be deleted, the following statement can be used to list indexes:
SHOW indexes FROM nevisauth_out_of_context_data_service;
If docker-based DB images are used, no changes are required.
- FIXED: OIDC Introspection now uses proper URI for refresh tokens stored in nevisMeta. (NEVISAUTH-3688)
- FIXED: We fixed the java.lang.NoSuchMethodException: com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl in the WS-Trust 1.4 SecurityTokenService. (NEVISAUTH-3699)
- FIXED: The admin CLI now correctly lists instances located in a symlink directory. (NEVISAUTH-3718)
- FIXED: We fixed the exception "Could not initialize SSL context: TLSV1_2 SSLContext not available" in AuthStates using the AuthHttpClient when specifying SslContextType TLSV1.2. (NEVISAUTH-3740)
- NEW: We introduced the property nevismeta.http.protocol.content-charset for AuthorizationServer to understand UTF-8 response body from nevisMeta. (NEVISAUTH-3630)
- NEW: OAuth 2 server metadata/OIDC discovery endpoint can now be set to userinfo endpoint. (NEVISMETA-1744)
- NEW: TANState configuration option autoRegenerate now allows the automatic regeneration of a new TAN to be disabled, if the maximum number of retries is exhausted. (NEVISAUTH-3420)
- NEW: AuthorizationServer can now be set to Terms of Service, Policy, jwks and token_endpoint_auth_method for each client. (NEVISMETA-1749)
- NEW: OAuth 2 server metadata/OIDC discovery endpoint now shows the correct token_endpoint_auth_method by combining data from clients. (NEVISMETA-1744)
- NEW: SELinux policy templates are now available at /opt/nevisauth/selinux. (NEVISAPPLIANCE-567)
- CHANGED: OAuth Token Introspection Endpoint always returns Bearer as the token_type in the response. (NEVISAUTH-3674)
- UPGRADED: oauth2-oidc-sdk third-party dependency is upgraded to version 9.37.2. (NEVISAUTH-3669)
- UPGRADED: Jackson third party dependencies are upgraded to version 2.13.3 (NEVISAUTH-3738).
- UPGRADED: Jetty third party dependencies are upgraded to version 9.4.48.v20220622 (NEVISAUTH-3738)
- UPGRADED: Log4j third party dependencies are upgraded to version 2.18.0 (NEVISAUTH-3738)
- UPGRADED: Groovy-all third party dependency is upgraded to 3.0.11 (NEVISAUTH-3738)
- UPGRADED: Checker-qual third-party dependency is upgraded to version 3.22.2. (NEVISAUTH-3738)
- UPGRADED: Libphonenumber third-party dependency is upgraded to version 8.12.51. (NEVISAUTH-3738)
- UPGRADED: Unboundid-ldapsdk third-party dependency is upgraded to version 6.0.5. (NEVISAUTH-3738)
nevisAuth 4.35.1.1 - 07.05.2022
Changes and new features
General
- FIXED: We fixed the inappropriate handling for
DeferredResponse
inSAMLContext
. (NEVISAUTH-3697) - FIXED:
java.lang.NoSuchMethodException
:com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl
in the WS-Trust 1.4SecurityTokenService
. (NEVISAUTH-3699) - FIXED: OIDC Introspection uses proper URI for refresh tokens stored in nevisMeta. (NEVISAUTH-3688)
nevisAuth 4.35.0.8 - 18.05.2022
Changes and new features
Breaking changes
- CHANGED: The previous bc and jcan-log logging using log4j1 is replaced by slf4j using log4j2. Jcan-log is now only used by the jcan-optrace, which relies on the slf4j implementation of jcan-log (NEVISAUTH-3519)
Log4j1 / Log4j2 incompatibility
Log4j2 uses different a configuration structure than log4j1, and they are not compatible. If you are not using nevisAdmin4, you have to migrate the logging configuration manually. Check the default template supplied in the RPM: /opt/nevisauth/template/conf/logging.yml.
NevisAuth requires a logging.yml file in the instance config directory. If it is missing, or the file is incorrectly formatted, a default configuration logs into the stdout which can be viewed in the systemd journal.
nevisAuth now uses log4j2 via Slf4j. In case of custom-developed Java AuthStates, delivering the Slf4j jar together with your custom AuthState can cause issues. The general recommendation is to define every dependency with a scope that is already provided by nevisAuth.
- CHANGED: The logging interface from bc is changed to slf4j in Java AuthStates and ScriptStates. IF you use any of the methods marked with red, your AuthState breaks, as these methods are not available in slf4j. Note that this only covers regular logging methods, not the exotic utility methods available in the bc interface.
bc | slf4j |
---|---|
enter(Object self, String method)enter(Object self, String method, Object params) | Possible replacement: trace(String msg)trace(String format, Object arg) |
leave()leave(Object result) | Possible replacement: trace(String msg)trace(String format, Object arg) |
error(String text)error(String text, Throwable exc)error(Throwable exc) | error(String msg)error(String format, Object arg)… |
warning(String text) | warn(String msg)warn(String format, Object arg)… |
info(String text) | info(String msg)info(String format, Object arg)… |
debug_low(String text)debug_med(String text)debug_high(String text)debug(String text) | debug(String msg)debug(String format, Object arg)trace(String msg)trace(String format, Object arg)… |
emergency(String text)alert(String text)critical(String text)msg(Severity severity, String text)msg(Severity severity, String text, Throwable exc)notice(String text) |
- CHANGED: The automatic reload of logging configuration is supported by using the monitorInterval property of log4j2. The previous configuration option
ch.nevis.tracing.refresh
is removed. (NEVISAUTH-3519) - CHANGED: When processing an empty key, such as the default value of a GUI label, against the LitDict, an exception is no longer thrown, but an empty result is generated instead. (NEVISAUTH-3536)
- CHANGED: There is a minor change in the RPM structure. The content of the server directory is now in lib. The original lib directory contained duplicated entries compared to the WAR file. Sub-folders under the plugin directory are exploded, all sub-directories are removed. This only has an effect if you extract internal artifacts (not recommended) from the RPM for third-party AuthState development. (NEVISAUTH-3546)
- CHANGED: The path attribute of the JWKs REST service has changed its meaning and its default value. The parameter is now the whole path of the service instead of only the base part. This means that we do not add anything automatically to the value of the parameter for building the path of the service. We also changed its default value according to this new approach. (NEVISAUTH-3453)
- REMOVED: The NevisSyslogAppenderis no longer available. As a replacement we suggest SocketAppender. You can find the reasons and an example in the Logging configuration / Syslog section in the reference guide. (NEVISAUTH-3519)
- REMOVED: The Oracle JDBC and MSSQL JDBC jar are no longer bundled into the application, download them manually from Oracle and Microsoft. This only affects the JDBCAuthState. See the updated description on how to add the manually downloaded jars. (NEVISAUTH-3086)
- REMOVED: The eCH SAML extensions called eCH-0113 is no longer supported. The ch.glue.suisseid:sdk:1.1.0 dependency is removed to improve security, as it is no longer in active use. (NEVISAUTH-3598)
- UPGRADED: Jradius third-party dependency is upgraded to version 1.1.5. It is now downloaded from maven central as net.jradius:jradius-coreinstead of the previous org.coova.jradius:jradius-core. Additionally, net.jradius:jradius-extended is no longer shipped as it is not required for the SecuridAuthenticateState.Note that some third-party extensions in the protocol might still require the library, and that can cause issues in your setup. In such a case, open a support ticket. (NEVISAUTH-3546)
- REMOVED: The deprecated server [TLS configuration property] require-client-auth is removed. Use the successor client-auth instead. (NEVISAUTH-3610)
- UPGRADED: Groovy-all dependency is upgraded to 3.0.10. This can break ScriptStates if you use any syntax that changed between version 2.4.21 and 3.0.10. See the following sections in the Groovy release notes for breaking changes: Split package changes (from beta-2), Other breaking changes. Note, that the groovy-all artifact is now a "meta" artifact, which depends on all other groovy artifacts. The groovy-all-
<version>
.jar no longer exists, there is a separate jar for each artifact. (NEVISAUTH-3576) - UPGRADED: Jdom third-party dependency is upgraded to version 2.0.6.1. Note that this can break custom Java and Groovy AuthStates, if you use the package org.jdom. Version 2.x provides org.jdom2 package naming, so org.jdom no longer works. (NEVISAUTH-3473)
General
- NEW: We introduce the Oauth2 Authorization Server Metadata/OIDC discovery endpoint. Now nevisAuth returns the metadata of the AuthorizationServer AuthStates specified in the configuration. For more information, see [REST service implementations]
- NEW: We introduce integration testing support for Custom Java and Groovy AuthState development through existing artifacts. The AuthStateHarness is now part of nevisAuth SDK, containing examples for both Java and Groovy AuthState testing. Note, that this is a medium term solution only. The long term solution is under discussion. For more details, see the new testing chapter in the SDK documentation shipped as part of the SDK in the nevisAuth RPM, or separately on the [documentation home]
- NEW: We introduce an Experimental REST endpoint to manage sessions. It supports terminating multiple sessions belonging to the same user. For more information, see the [REST service implementations section] in the Reference guide. (NEVISAUTH-3558)
- FIXED: We fixed the inappropriate separator handling for DeferredResponse in SAMLContext. (NEVISAUTH-3426)
- FIXED: We fixed the bug where nvluser, nvbuser and members of the nevisadmin group could not use the nevisAuth Admin CLI commands. (NEVISAUTH-3560)
- FIXED: You can now verify ArtifactResponse by setting in.verify with ArtifactResponse. (NEVISAUTH-3530)
- CHANGED: The AuthState#getHttpHeaderFromRequest() method visibility is upgraded to public. This allows custom auth states to obtain HTTP headers case-insensitively. (NEVISAUTH-3587)
- CHANGED: The TransformAttributes auth state now supports AES encryption additionally with the modes CBC and GCM. (NEVISAUTH-3597)
- UPGRADED: Auto-value third-party dependency is upgraded to version 1.9. (NEVISAUTH-3568)
- UPGRADED: Checker-qual third-party dependency is upgraded to version 3.21.3. (NEVISAUTH-3568)
- UPGRADED: Commons-cli third-party dependency is upgraded to version 1.5.0. (NEVISAUTH-3568)
- UPGRADED: Commons-io third-party dependency tis upgraded o version 2.11. (NEVISAUTH-3470)
- UPGRADED: Commons-lang3 third-party dependency is upgraded to version 3.12.0. (NEVISAUTH-3568)
- UPGRADED: Commons-pool third-party dependency is upgraded to version 1.6. (NEVISAUTH-3568)
- UPGRADED: Jackson third-party dependencies are upgraded to version 2.13.2. and jackson-dababind to 2.13.2.2 (NEVISAUTH-3568)
- UPGRADED: Jaxb third-party dependency is upgraded to version 2.3.6. (NEVISAUTH-3568)
- UPGRADED: Jaxrs-ri third-party dependency is upgraded to version 2.3.5. (NEVISAUTH-3471)
- UPGRADED: Jetty third-party dependency is upgraded to version 9.4.45.v20220203. (NEVISAUTH-3568)
- UPGRADED: Joda-time third-party dependency is upgraded to version 2.10.1. (NEVISAUTH-3568)
- UPGRADED: Json-smart third-party dependency is upgraded to version 2.4.8. (NEVISAUTH-3468)
- UPGRADED: Guava third-party dependency is upgraded to version 31.1-jre. (NEVISAUTH-3568)
- UPGRADED: HikariCP third-party dependency is upgraded to version 4.0.3. (NEVISAUTH-3568)
- UPGRADED: Libphonenumber third-party dependency is upgraded to version 8.12.45. (NEVISAUTH-3568)
- UPGRADED: Mariadb-java-client third-party dependency is upgraded to version 2.7.5. (NEVISAUTH-3568)
- UPGRADED: Rhino third-party dependency is upgraded to version 1.7.14. (NEVISAUTH-3568)
- UPGRADED: Tinyradius third-party dependency is upgraded to version 1.1.3. (NEVISAUTH-3568)
- UPGRADED: Unboundid-ldapsdk third-party dependency is upgraded to version 6.0.4. (NEVISAUTH-3568)
- REMOVED: We removed default heapdump and GC settings from default env.conf configuration template. (NEVISAUTH-3600)
nevisAuth 4.34.0.4 - 16.02.2022
Changes and new features
Breaking changes
- NEW: Introduced a new parameter nestedJWSAccessTokenfor AuthorizationServer to define how JWS Access Token is generated (nested or not). By default, the JWS Access Token is generated in a non-nested form. (NEVISAUTH-3464)
- CHANGED: LitDict files are loaded as UTF-8 character encoded files by default, instead of ISO-8859-1. There is no automatic migration for existing LitDict files. The configuration option to control the character encoding during LitDict file loading still exists but was deprecated. For more information, see Language support. (NEVISAUTH-3477)
General
- NEW: Introduced singleLogoutURL configuration properties in the IdentityProviderState to use endpoints for logout different to the assertion consumer service endpoints of the ServiceProvider. For more information, see IdentityProviderState. (NEVISAUTH-3230)
- NEW: Introduced Token Revocation REST Endpoint to revoke access token and refresh token. For more information, see REST service implementations. (NEVISAUTH-3434)
- UPDATE: Token Introspection Service now checks whether the requested token was revoked in advance. (NEVISAUTH-3433)
- UPDATE: New property introspectionService for AccessTokenConsumer to call to TokenIntrospection Endpoint and check the token still active or not before continue validation. For more information, see AccessTokenConsumer. (NEVISAUTH-3433)
- NEW: RelyingPartyState and OAuth2ClientState now support variable substitution in the property clientSecret. (NEVISAUTH-3411)
- NEW: Introduced in.max_issue_age for [ServiceProviderState] to verify IssueInstant issued time. It allows to verify max age of AuthnInstant and IssueInstant separately. (NEVISAUTH-3315)
- NEW: Introduced the JSON Web Key Set (JWKS) endpoint. Now nevisAuth returns the key set of the AuthorizationServer AuthStates specified in the configuration. For more information, see REST service implementations. (NEVISAUTH-3371)
- NEW: Token Introspection Service and AccessTokenConsumer AuthState now can validate against JWS access token. (NEVISAUTH-3451)
- NEW: Encode original URL of RelayState in ServiceProviderState before sent to IdentityProviderState. For more information, see ServiceProviderState. (NEVISAUTH-3341)
- FIXED: nevisAuth did not start up when the truststore configuration was not provided for disabled client-auth. The issue is now fixed. (NEVISAUTH-3460)
- FIXED: The ScriptStates could not access the actor certificate in the request due to a NullPointerException. The issue is now fixed. (NEVISAUTH-3505)
- FIXED: Incorrect absolute timeout of unauthentic sessions (authentication flows not yet reached AUTH_DONE) synchronized into the Remote session cache. The incorrect behavior also caused excessive warning messages before. (NEVISAUTH-3033)
So far the absolute timeout for the Remote session cache was always 24h + syncRemoteSessionAbsToTolerance. From now on, the absolute timeout for unauthentic sessions is properly set based on the initialMaxLifetime configuration option. Therefore you might have to set a different value for the initialMaxLifetime to experience the same behavior as before.
Your setup is involved if the syncUnauthenticSessions SessionCache property is set to true in the esauth4.xml. By default, it is false, and it is a not documented flag intended to be used in Kubernetes setups. It is officially not supported in on-premise installations.
- NEW: Added database index to the documentation for the Remote session cache. It can help with response time spikes when caused by a slower remote session store reaper (therefore blocking other database operations). There is no automatic database migration. (NEVISAUTH-3416)
ALTER TABLE TNSSA_AUTH_SESSION_CACHE ADD INDEX (ABSTO);
- DEPRECATED: The system property ch.nevis.esauth.litdict.charset.encoding to control the character encoding during LitDict file loading was deprecated. For more information, see Language support. (NEVISAUTH-3477)
- REMOVED: The supplied log4j version 1.2.17 is patched to remove vulnerable classes org/apache/log4j/net/JMSAppender.class and org/apache/log4j/net/SocketServer.class. (NEVISAUTH-3491)
- REMOVED: The previously deprecated Couchbase support of the out-of-context data service is removed completely. (NEVISAUTH-3466)
nevisAuth 4.33.0.8 - 17.11.2021
Changes and new features
Using the update installation option of package managers corrupts the installed files under /opt/nevisauth. To fix this issue, do the following:
- Uninstall the nevisAuth package.
- Reinstall the nevisAuth package.
This issue is caused by the package manager update running the post-uninstall script in the old package after the installation of the new package. The post-uninstall script assumes a different directory structure under /opt/nevisauth from what the new package has, which causes it to remove files from the new installation. Manually uninstalling and reinstalling the package solves this issue.
UPGRADED: javax.mail:mail 1.4.7 to com.sun.mail:jakarta.mail 2.0.1
NEW: We introduced the new property allowRedirect for the RelyingPartyState and OAuth2ClientState AuthStates. Using this attribute, you can enable or disable redirecting to the original request link after authentication by the OpenID Connect identity provider. For more information see RelyingPartyState or OAuth2ClientState.
NEW: We introduced SAML Single Logout Flow with SOAP binding as an option for IdentityProviderState and ServiceProviderState. For more information see IdentityProviderState or ServiceProviderState.
NEW: A TokenIntrospectionService configured with only one AuthorizationServer AuthState can now be accessed without the AuthorizationServer AuthState name. For more information see REST service implementations.
NEW: We introduced the new encryptAccessToken property for AuthorizationServer that allows returning an AccessToken in JWS format. For more information see AuthorizationServer.
NEW: We introduced the new property nevismeta.updateMetadataWhenClientNotFound for AuthorizationServer that can control the cache update mechanism of nevisAuth from nevisMeta if a client is not found in its current cache.
NEW: The TokenIntrospectionService can now be protected with Basic Authentication. For more information see REST service implementations.
NEW: IdentityProviderState is now able to handle assertionConsumerServiceIndex in AuthnRequest. For more information see IdentityProviderState
NEW: We introduced the syncRemoteSessionIndexFormat property in session synchronization to control the format of the session index value used in the remote session cache. For more information, see "Session synchronization" in "Session management".
NEW: We introduced a new logger, DbPerformance. On INFO level, it logs the response time of the queries to the Remote session store and the Out of context data store. On DEBUG, it also logs the SQL statement and the parameters.
CHANGED: TokenIntrospectionService now returns all the claims that are available in the token.
FIXED: We fixed an issue that caused TokenIntrospectionService to crash with the error message "java.lang.IllegalStateException: The output stream has already been closed". The issue occurred with an incorrect AuthorizationServer name request parameter.
FIXED: RelyingPartyState can now understand the callback from IdP without a query string while using ResponseMode="form_post".
FIXED: We fixed a possible JDBC error which could break the retry mechanism of Session synchronization.
FIXED: We fixed the unknown login application issue when using compatLevel="none". The issue was caused by a missing domain attribute in the GuiDescriptor sent to nevisLogRend**.
REMOVED: Some Admin CLI commands are deprecated and will be removed with the November Rolling Release. For more information, see Appendix F - Admin CLI and RPM installation changes introduced with 4.33.0.8.
- AUTH_SIGNER_TRUSTSTORE and AUTH_SIGNER_KEYSTORE were mixed up in the default esauth4.xml configuration template in the KeyStore section, switch the values for these if you use them.
- AUTH_SIGNER_PKCS11_TOKENLABEL is no longer supported
- The encSecret command is removed, use the pipe:// syntax instead in the esauth4.xml.
nevisAuth 4.32.1.1 - 25.10.2021
Changes and new features
- NEW: Introduced a new logger DbPerformance. On INFO level, it logs response the time of the queries to the Remote session store and the Out of context data store. On DEBUG level, it also logs the SQL statements and the parameters.
- FIXED: The retry mechanism of Session synchronization was broken because of a possible JDBC error. The issue is now fixed.
- NEW: Introduced a new property syncRemoteSessionIndexFormat in session synchronization, to control the format of the session index value used in the remote session cache. For more information, see "Session synchronization" in "Session management".
nevisAuth 4.32.0.3 - 05.08.2021
Changes and new features
- NEW: The Access Token now includes the iss field when OpenID Support is enabled. The value of the field is extracted from the configuration property openid.issuerId. For more information, see the section "Configuration of the AuthorizationServer" in the chapter "AuthorizationServer" of the nevisAuth reference guide.
- NEW: nevisAuth now includes a new AuthState: OAuth2ClientState. This new AuthState acts as a client for authorization requests with an OAuth2 identity provider. For more information, see the chapter "OAuth2ClientState" in the nevisAuth reference guide.
- FIXED: The error message Unknown variable source 'litdict' erroneously appeared when you configured useLiteralDictionary="false" in the AuthEngine. This bug is fixed.
- FIXED: No truststore information was returned in the case of SAML truststore validation errors. This bug is fixed.
- FIXED: The hostname verification in a TLS server setting triggered misleading warning messages. Additionally, the description of the relevant hostname verification property server.tls.verify-hostname in the nevisAuth Reference Guide was incorrect. These issues are now fixed.
- FIXED: When the AuthorizationServer received a token, it also checked for a secret even if the public client did not have a secret. This bug is fixed. From now on, the AuthorizationServer no longer checks for a secret if the public client does not have a secret.
- UPGRADED: The following vulnerable dependencies have been upgraded: Jetty, Jackson, XMLBeans, Guava, and Groovy.
Groovy is upgraded from version 2.4.12 to 2.4.21. This can affect Groovy scripts used in ScriptStates. If this upgrade poses a problem that you cannot fix in the Groovy scripts, supply the desired Groovy version as described in the section "Installing a specific Groovy version" of the chapter "Writing scripts in Groovy" in the nevisAuth reference guide.
For more information on the available Groovy versions, see http://mvnrepository.com/artifact/org.codehaus.groovy/groovy-all
.
- DEPRECATED: Some Admin CLI commands are deprecated and will be removed with the November Rolling Release. For more information, see Admin CLI and RPM Installation Changes in 11.2021 RR Release.
nevisAuth 4.31.1.0 - 19.07.2021
Changes and new features
- FIXED: The RelyingPartyState can handle the errors during the cancellation of the authentication process.
nevisAuth 4.31.0.1 - 05.05.2021
Changes and new features
- NEW: All the data under the SCOPE field of SAML AuthnRequest is now propagated to notes.
- NEW: The RelyingPartyState now has two more configuration properties for responseMode and clientAuthMethod.
- FIXED: OAuth public client previously needed a client secret for login. OAuth public client now can log in without a client secret.
- FIXED: The bug regarding URLs with commas has been fixed. It is now possible to store URLs that include commas in the SAMLContext.
- FIXED: The RelyingPartyState can now use metadata from `http://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration for the providerConfiguration.
- FIXED: Excessive warning logs in case the translation of LitDict messages were turned off in nevisAuth. The messages have been moved to the debug logging category.
nevisAuth 4.30.0.2 - 17.02.2021
Changes and new features
- NEW: All data in the SCOPE field of a SAML AuthnRequest is now propagated to notes.
- NEW: The AuthState TANState contains the following new configuration properties for the Swissphone channel:
For further details, see the chapter "TAN authentication plug-ins" of the nevisAuth Reference Guide.NEW: The debug logs can now list the sessions that will be removed by the remote session reaper. To enable this new feature, set the logging categorySyncer* to "DEBUG".
- FIXED: The issue regarding the nevisMeta clients with the client resource attribute pkce_mode set to "s256-required". These clients are now enforced with code challenge.
- FIXED: The bug regarding URLs with commas has been fixed. It is now possible to store URLs that include commas in the SAMLContext.
- UPDATED: The HTTP client library used by the AuthState TANState (Swissphone channel) is updated.
nevisAuth 4.29.0.249 - 18.11.2020
Support for standalone deployment only
From this release on, only standalone deployment is supported, as mentioned in the "Nevis Product Lifetime and Platform Support Matrix".### Changes and new features
- NEW: There is a new property available for client authentication in TLS settings: server.tls.client-auth. This property is the successor of the property server.tls.require-client-auth. It provides the options "required", "requested", and "disabled". The "old" property server.tls.require-client-auth is deprecated but remains backwards compatible. If you use the new property server.tls.client-auth, the system will ignore the property server.tls.require-client-auth and logs a warning.
- FIXED: The bug where shutting down a nevisAuth standalone deployment caused interruptions of ongoing connections. When you now execute a stop command, nevisAuth waits with shutting down until all connections have finished, or until 30 seconds have passed (what comes first).
- FIXED: The bug where the property delegateMode of the AttributeDelegater AuthState was not working properly.
- UPDATED: The standalone container/HTTP server.
- UPDATED: Log4j, to the latest minor version.
nevisAuth 4.28.0.230 - 25.07.2020
Changes and new features
- NEW: nevisAuth now supports variable resolution for the arbitraryAuthRequestParam property of the RelyingPartyState. For more information see the description of the RelyingPartyStateAuthState.
- NEW: The kid JOSE header value of the issued access and ID tokens can be configured by the new keyID property of the AuthorizationServer AuthState.
- FIXED: The incorrect handling of "?" in the redirect URI of the AuthorizationServer AuthState has been fixed. The bug was fixed in the Nimbus oauth2-oidc-sdk library, which in certain cases incorrectly created "??" in the URI on redirect.
The content of /opt/nevisauth/plugin/thirdparty/oauth/ is changed due to the library upgrade. If you use the contents of that library in custom AuthStates, you may need to change the classPath setting of that specific AuthState and include the old libraries.
nevisAuth 4.27.0.210 - 20.05.2020
Changes and new features
- NEW: nevisAuth now supports enabling hostname verification when client authentication is required in a standalone deployment. See the new verify-hostname attribute in the [Deployment Types]( section of the reference guide for additional information.
- CHANGED: For security reasons, the [IdentityProviderState] now requires the property acsUrlWhitelist.urisand refuses to start without it. This breaking change was introduced to prevent opening the infrastructure to XSS attacks.
- CHANGED: Form encryption is enforced in the server if it is configured in the GUI descriptor. In this case, nevisAuth does not accept non-encrypted information sent by the client and the authentication fails. This makes it easier for administrators to spot misconfiguration or potential manipulation attempts. Previous releases accepted unencrypted information in form encryption scenarios. For more information, see Form encryption.
- FIXED: The bug where spaces inside JVM arguments in JAVA_OPTS environment variables in the env.conf configuration file for standalone deployments caused the following error: "Error: Could not find or load main class". This prevented nevisAuth from starting. As a solution, a new definition syntax as array has been introduced for JAVA_OPTS. Now it also allows comments to be used between new lines. The old string type definition is still supported, but to fix the previously mentioned error, you need to change the definition to the array type. For more information, see the section "Standalone" in the chapter "Deployment Types".
When directly using the server CLI to start nevisAuth, the manual sourcing of the env.conf configuration file is no longer necessary. See the example in the section "Example usage of the standalone CLI" in the chapter "Deployment Types".
nevisAuth 4.26.0.192 - 30.01.2020
Changes and new features
- NEW: nevisAuth now supports variable resolution for the ttl attribute of the SubjectConfirmationExtender. For more information on the SubjectConfirmationExtender, see the description of the out.extension property of the [IdentityProviderState] AuthState.
- NEW: The [CaptchaState]( AuthState contains the new property userInputCaptcha. This property specifies how the user input is provided.
- CHANGED: nevisAuth now provides the SQL out-of-context data service [SqlOOCDService]( Couchbase-based out-of-context data service CouchbaseOOCDService.
- CHANGED: SHA256 is now the default and recommended sign algorithm for SAML AuthStates.
There is an unlikely possibility that this change breaks existing environments. This may happen if no sign algorithm has been defined in the AuthState.
In the rare event that the upgrade to SHA256 does break your environment, downgrading back to SHA1 is not recommended. Rather, investigate how you can upgrade your environment to support SHA256.
- FIXED: The bug that caused the nevisauth status command to write warning messages of type "lsof: WARNING: can't stat() ..." in the standard output (standalone deployment type).
- FIXED: The SAML logout issue that occurred in a setup with multiple nevisAuth instances using a remote SQL session DB.
- FIXED: The problem with the session binding returned by the [ScriptState](when the session was not defined.
- DEPRECATED: The SessionCoordinator has been deprecated. There is no guarantee that custom AuthStates or ScriptStates using it will work in future releases.
- DEPRECATED: The JBoss and WildFly deployments have been deprecated. They will be removed in the planned November 2020 release. It is recommended using standalone deployment instead.
nevisAuth 4.25.0.2 - 05.11.2019
Changes and new features
NEW: Variable expression resolution is now available for
NEW: nevisAuth now provides the [SQL out-of-context data service](.
NEW: It is now possible to configure the maximum HTTP header size in standalone mode. See Server Configuration Properties in the nevisAuth Reference Guide.
NEW: You can now specify that an OAuth 2.0 client requires the use of PKCE (to provide a code challenge) in the authorization flow. For more information, see PKCE:
https://tools.ietf.org/html/rfc7636#section-4.4.1
.NEW: nevisAuth now offers support for OAuth 2.0 token introspection as defined in the RFC 7662 with nevisMeta. For more information, see [OAuth 2.0 Token Introspection](.
NEW: EL expression support is now available for the following properties:
- out.ttl- in.audience.checkrequired- limitSessionLifetime**- out.sign.hashAlgorithm
CHANGED: nevisAuth does not require the OAuth 2.0 client to provide the client secret if the client is public. If you want to enforce the client to provide the secret, define the client as confidential.
CHANGED: For security reasons, the number of TLS protocols and ciphers supported by default by the standalone server has been reduced. See Server Configuration Properties in the nevisAuth Reference Guide for the updated list of supported ciphers and protocols.
This change might break existing deployments. If you use the protocols and ciphers supported by default and your clients do not support them, it is recommended updating your HTTP clients. If this is not possible, then:
- CHANGED: For security reasons, nevisAuth will now use SHA256withRSA as a signing algorithm in case no algorithm is specified in the DynCert AuthState configuration.
In the unlikely case where this change will break your deployment, it is recommended upgrading the consumers of the certificate to support SHA256withRSA. If this is not possible, specify the use of SHA1withRSA in the configuration of the DynCert AuthState. For more information about the DynCert AuthState, see Dynamic Certificate Generation AuthState.
- CHANGED: For security reasons, nevisAuth will now use SHA256withRSA to sign the SecTokens in case no algorithm is specified in the token assembler configuration.
In the unlikely case where this change will break your deployment, it is recommended upgrading the consumers of the SecToken to support SHA256withRSA. If this is not possible, specify the use of SHA1withRSA in the configuration of the token assembler. For more information about the token assembler configuration, see Token assembler.
- CHANGED: When obtaining bearer tokens from the Token Endpoint in case of OAuth2 Authorization Code Grant or OpenID Connent Hybrid Flow, nevisAuth now calculates the issue and expiration time of the tokens based on the Token Request time. Previously, these calculations were based on the Authorization Request time.
The OAuth2 authorization codes issued with a previous version of nevisAuth cannot be exchanged after upgrading nevisAuth to this version. As a consequence, ongoing OAuth2 authentications might be interrupted after the upgrade.
- FIXED: The issue regarding the default value of the validityPeriod attribute in the DynCertAuthState.
- FIXED: The contention issue regarding the TANService when using the Swissphone channel.
- FIXED: The issue regarding the use of initialization vectors *AuthState. Now, the use of randomly generated initialization vectors, instead of static initialization vectors, is recommended.
This change might break existing deployments for external clients relying on the encrypted content of the [TransformAttributes] AuthState.
Running in "Backwards Compatibility Mode"
It is recommended updating the external clients that are impacted by this change - see chapter TransformAttributes]* AuthState to "true". This will generate static initialization vectors as used in previous nevisAuth versions. Note that this backwards compatibility mode might be removed in future releases.
- REMOVED: The backwards compatibility system property flag ch.nevis.session.jdbc.connector.store.absTo has been removed. This flag was introduced in nevisAuth 4.15.1.0.
This removal can break old setups where the ABSTO column is not available in the remote session cache database table TNSSA_AUTH_SESSION_CACHE.
In these cases, manually patch the database with the following SQL command:
ALTER TABLE NSS.TNSSA_AUTH_SESSION_CACHE ADD ABSTO TIMESTAMP NOT NULL;
If the ABSTOcolumn is not available, most probably the SESSION_INDEX column is missing as well. The column SESSION_INDEXwas introduced in nevisAuth 4.19.0.0. In the case of a missing SESSION_INDEX column, you can manually patch the database with the following SQL commands:
ALTER TABLE NSS.TNSSA_AUTH_SESSION_CACHE ADD SESSION_INDEX VARCHAR(255);
ALTER TABLE NSS.TNSSA_AUTH_SESSION_CACHE ADD INDEX (SESSION_INDEX);
- REMOVED (breaking change): The binary /opt/nevisauth/bin/keystorepwget is no longer part of nevisAuth. In case this binary is used in configuration files, use the binary provided with nevisKeybox instead: /opt/neviskeybox/bin/keystorepwget.
- REMOVED (breaking change): The undocumented system property ch.nevis.esauth.defaultpassphrasegetters.enable has been removed. This property is related to the removed binary /opt/nevisauth/bin/keystorepwget.
- DEPRECATED: The CouchBase out-of-context data service has been deprecated. For more information about this service, see CouchBase out-of-context data service.